Like Trusted computing: power-on-self-test, trusted core, trusted interpreter measurements?
From: Trevor Vaughan [mailto:[email protected]] Sent: Monday, October 29, 2018 4:24 PM To: SCAP Security Guide <[email protected]> Subject: Re: FIPS Checker Well, checking to see if the system is in FIPS mode at the kernel level is pretty easy (fipscheck). I would like to know that it's actually the way the vendor intended but I couldn't determine a good way to do that. Seems like something that the vendors would want to supply/encourage for those customers that need it. On Mon, Oct 29, 2018 at 4:17 PM Mark Thacker <[email protected]<mailto:[email protected]>> wrote: AHHH. Well, checking the signatures of the RPMs verses what we posted in the certification would be a start. (sorry, manual there unless you automate using Ansible or OpenSCAP perhaps) You can check that the kernel is running in FIPS mode, of course, but I'm not sure that's all you want to check. BTW : That process of checking that the system is configured in FIPS does get easier in the future..... On Mon, Oct 29, 2018 at 4:03 PM Trevor Vaughan <[email protected]<mailto:[email protected]>> wrote: Actually, Mark, you've kind of nailed it on the head for me. I would like to be able to know that the system is the way it's *supposed* to be instead of just kind of doing my best and hoping that something didn't break. I was hoping that the validated modules area would have an XML file or something that could be downloaded and processed :-|. Anyway, it seems like it would be an appropriate addition to the SCAP scans since there is already the requirement to be enabled being checked for various profiles. I was just hoping that someone had magically created it. Thanks, Trevor On Mon, Oct 29, 2018 at 3:59 PM Mark Thacker <[email protected]<mailto:[email protected]>> wrote: We've definitely talked about this and there isn't a clear programmatic means to achieve this. Of course, we do log which specific version of the libraries that we build and test against in our certification report. So, those could be used to compare a running system against the certification report. Yes, I also understand that sometimes the desire is to be able to show that CentOS or Fedora is NOT FIPS certified verses RHEL. Of course, that assumes that the RHEL you are running on IS actually certified. On Mon, Oct 29, 2018 at 3:39 PM Gabe Alford <[email protected]<mailto:[email protected]>> wrote: Outside of going to https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search and clicking `search` with empty search parameters, don't know of anything. On Mon, Oct 29, 2018 at 1:33 PM Trevor Vaughan <[email protected]<mailto:[email protected]>> wrote: Hi All, Does anyone know of a project that can correlate the running operating system with the latest information on the FIPS 140 approved products list. Basically, I'm looking for a command where I can run something like `fipscertified` and get back a `0` or `1` based on the result of the latest/updated data. Bonus points, I'd love to be able to point it at apps and have it tell me, but that's a long shot given the statically compiled wonderland we all seem to be living in these days. Thanks, Trevor -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] -- Mark Thacker Principal Technical Product Manager, Security, Red Hat Enterprise Linux Email: [email protected]<mailto:[email protected]> IRC / Freenode : mthacker Mobile: +1-214-636-7004 _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] -- Mark Thacker Principal Technical Product Manager, Security, Red Hat Enterprise Linux Email: [email protected]<mailto:[email protected]> IRC / Freenode : mthacker Mobile: +1-214-636-7004 _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
