Bug 923782 - Simplify enabling/disabling FIPS mode
Summary: Simplify enabling/disabling FIPS mode
Status: CLOSED DUPLICATE of bug 1553686
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fipscheck
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 1110706 1191020
TreeView+ depends on / blocked
 
Reported: 2013-03-20 12:36 UTC by Miloslav Trmač
Modified: 2018-12-10 14:55 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-12-10 14:55:07 UTC


Attachments (Terms of Use)

Description Miloslav Trmač 2013-03-20 12:36:14 UTC
Enabling FIPS mode as documented on https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html requires 6, and users frequently omit at least one (typically prelink -u -a).

Can we simplify this?

1) It would be good if fipscheck etc. could be taught about prelink so that it wouldn't be necessary to disable prelink - however tmraz says that can't work reliably.

2) Regardless of 1), we can (and IMHO should) provide a simple command that does the 6 steps for the user, e.g.
> fips140 enable
> fips140 disable
> fips140 status

or something similar.

Really unsure against which component to file this... fipscheck is one possible place, or create a new package?

Comment 1 Miloslav Trmač 2013-03-20 12:43:33 UTC
Note that if this is implemented, the security guide will have to be updated as well.

Comment 3 Tomas Mraz 2013-03-20 14:07:51 UTC
As this would be a fairly simple script I think it could be included in the fipscheck package.

Note that the instructions for RHEL-7 will slightly differ from RHEL-6 - at least due to change of boot loader to grub2.

Comment 4 Paul Wouters 2013-04-03 17:00:55 UTC
Reading through the instructions, I don't see anything about the cron job that prelinks at some weird unexpected interval. 

Regardless, I believe that the user should be requested a single thing. Add fips=1 to the kernel boot line. And maybe even have some script for them to run to do that because I seriously don't want to tell customers to look at grub2 "config files".

Anything else should be done for them. Disable prelinking, undo prelinking, ensure the cronjob doesn't screw it up, etc.

The cronjob should also be extended to NOT prelink when it detects it is running in FIPS mode, to avoid people shooting themselves in the foot. In the past I have removed prelink only to get it dragged in somehow on my system running in fips mode, running prelink because the stock /etc/sysconfig/prelink tells it to do so.

I'd still say we should just never prelink anything that has FIPS checks on it, but I guess I lost that argument long ago.

Comment 5 Miloslav Trmač 2013-04-03 17:14:39 UTC
(In reply to comment #4)
> Reading through the instructions, I don't see anything about the cron job
> that prelinks at some weird unexpected interval. 

Setting PRELINKING=no disables the operation of the cron job; it's not necessarily to actually remove it.

> Regardless, I believe that the user should be requested a single thing. Add
> fips=1 to the kernel boot line. And maybe even have some script for them to
> run to do that because I seriously don't want to tell customers to look at
> grub2 "config files".

Yes, that's what 2) in comment #0 proposes.

Comment 8 Paul Wouters 2014-02-10 17:07:00 UTC
just kill prelink. see the many many many bugzilla/fedora discussions :P

at the very least, fix prelink so it runs prelink -ua on uninstall as I've proposed years ago.

Comment 9 Miloslav Trmač 2014-02-11 14:46:57 UTC
(In reply to Paul Wouters from comment #8)
> at the very least, fix prelink so it runs prelink -ua on uninstall as I've
> proposed years ago.

This is already tracked as bug #1019225, and doesn't affect the need to simplify the other steps as well.  Making the content of this bug overwhelmingly prelink-focused would miss the point.

Comment 11 Nikos Mavrogiannopoulos 2018-12-10 14:55:07 UTC

*** This bug has been marked as a duplicate of bug 1553686 ***


Note You need to log in before you can comment on or make changes to this bug.