Well, checking to see if the system is in FIPS mode at the kernel level is pretty easy (fipscheck).
I would like to know that it's actually the way the vendor intended but I couldn't determine a good way to do that. Seems like something that the vendors would want to supply/encourage for those customers that need it. On Mon, Oct 29, 2018 at 4:17 PM Mark Thacker <[email protected]> wrote: > AHHH. > Well, checking the signatures of the RPMs verses what we posted in the > certification would be a start. (sorry, manual there unless you automate > using Ansible or OpenSCAP perhaps) > You can check that the kernel is running in FIPS mode, of course, but I'm > not sure that's all you want to check. > BTW : That process of checking that the system is configured in FIPS does > get easier in the future..... > > On Mon, Oct 29, 2018 at 4:03 PM Trevor Vaughan <[email protected]> > wrote: > >> Actually, Mark, you've kind of nailed it on the head for me. >> >> I would like to be able to know that the system is the way it's >> *supposed* to be instead of just kind of doing my best and hoping that >> something didn't break. >> >> I was hoping that the validated modules area would have an XML file or >> something that could be downloaded and processed :-|. >> >> Anyway, it seems like it would be an appropriate addition to the SCAP >> scans since there is already the requirement to be enabled being checked >> for various profiles. I was just hoping that someone had magically created >> it. >> >> Thanks, >> >> Trevor >> >> On Mon, Oct 29, 2018 at 3:59 PM Mark Thacker <[email protected]> wrote: >> >>> We've definitely talked about this and there isn't a clear programmatic >>> means to achieve this. >>> Of course, we do log which specific version of the libraries that we >>> build and test against in our certification report. So, those could be used >>> to compare a running system against the certification report. >>> >>> Yes, I also understand that sometimes the desire is to be able to show >>> that CentOS or Fedora is NOT FIPS certified verses RHEL. Of course, that >>> assumes that the RHEL you are running on IS actually certified. >>> >>> On Mon, Oct 29, 2018 at 3:39 PM Gabe Alford <[email protected]> >>> wrote: >>> >>>> Outside of going to >>>> https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search >>>> and clicking `search` with empty search parameters, don't know of >>>> anything. >>>> >>>> On Mon, Oct 29, 2018 at 1:33 PM Trevor Vaughan <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Does anyone know of a project that can correlate the running operating >>>>> system with the latest information on the FIPS 140 approved products list. >>>>> >>>>> Basically, I'm looking for a command where I can run something like >>>>> `fipscertified` and get back a `0` or `1` based on the result of the >>>>> latest/updated data. >>>>> >>>>> Bonus points, I'd love to be able to point it at apps and have it tell >>>>> me, but that's a long shot given the statically compiled wonderland we all >>>>> seem to be living in these days. >>>>> >>>>> Thanks, >>>>> >>>>> Trevor >>>>> >>>>> -- >>>>> Trevor Vaughan >>>>> Vice President, Onyx Point, Inc >>>>> (410) 541-6699 x788 >>>>> >>>>> -- This account not approved for unencrypted proprietary information -- >>>>> _______________________________________________ >>>>> scap-security-guide mailing list -- >>>>> [email protected] >>>>> To unsubscribe send an email to >>>>> [email protected] >>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>> >>>> _______________________________________________ >>>> scap-security-guide mailing list -- >>>> [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> >>> >>> >>> -- >>> Mark Thacker >>> Principal Technical Product Manager, Security, Red Hat Enterprise Linux >>> Email: [email protected] >>> IRC / Freenode : mthacker >>> Mobile: +1-214-636-7004 >>> >>> _______________________________________________ >>> scap-security-guide mailing list -- >>> [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >> >> >> -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc >> (410) 541-6699 x788 >> >> -- This account not approved for unencrypted proprietary information -- >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > > > -- > Mark Thacker > Principal Technical Product Manager, Security, Red Hat Enterprise Linux > Email: [email protected] > IRC / Freenode : mthacker > Mobile: +1-214-636-7004 > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
