Hey, doesn't bother me, we finally got TPM and trusted boot support integrated into SIMP ;-).
Except for...well...the fact that UEFI doesn't Trusted Boot in RHEL (*sigh*). Trevor On Mon, Oct 29, 2018 at 4:30 PM Brent Kimberley <[email protected]> wrote: > Like Trusted computing: power-on-self-test, trusted core, trusted > interpreter measurements? > > > > *From:* Trevor Vaughan [mailto:[email protected]] > *Sent:* Monday, October 29, 2018 4:24 PM > *To:* SCAP Security Guide <[email protected]> > *Subject:* Re: FIPS Checker > > > > Well, checking to see if the system is in FIPS mode at the kernel level is > pretty easy (fipscheck). > > > > I would like to know that it's actually the way the vendor intended but I > couldn't determine a good way to do that. Seems like something that the > vendors would want to supply/encourage for those customers that need it. > > > > On Mon, Oct 29, 2018 at 4:17 PM Mark Thacker <[email protected]> wrote: > > AHHH. > > Well, checking the signatures of the RPMs verses what we posted in the > certification would be a start. (sorry, manual there unless you automate > using Ansible or OpenSCAP perhaps) > > You can check that the kernel is running in FIPS mode, of course, but I'm > not sure that's all you want to check. > > BTW : That process of checking that the system is configured in FIPS does > get easier in the future..... > > > > On Mon, Oct 29, 2018 at 4:03 PM Trevor Vaughan <[email protected]> > wrote: > > Actually, Mark, you've kind of nailed it on the head for me. > > > > I would like to be able to know that the system is the way it's *supposed* > to be instead of just kind of doing my best and hoping that something > didn't break. > > > > I was hoping that the validated modules area would have an XML file or > something that could be downloaded and processed :-|. > > > > Anyway, it seems like it would be an appropriate addition to the SCAP > scans since there is already the requirement to be enabled being checked > for various profiles. I was just hoping that someone had magically created > it. > > > > Thanks, > > > > Trevor > > > > On Mon, Oct 29, 2018 at 3:59 PM Mark Thacker <[email protected]> wrote: > > We've definitely talked about this and there isn't a clear programmatic > means to achieve this. > > Of course, we do log which specific version of the libraries that we build > and test against in our certification report. So, those could be used to > compare a running system against the certification report. > > > > Yes, I also understand that sometimes the desire is to be able to show > that CentOS or Fedora is NOT FIPS certified verses RHEL. Of course, that > assumes that the RHEL you are running on IS actually certified. > > > > On Mon, Oct 29, 2018 at 3:39 PM Gabe Alford <[email protected]> wrote: > > Outside of going to > https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search > > and clicking `search` with empty search parameters, don't know of anything. > > > > On Mon, Oct 29, 2018 at 1:33 PM Trevor Vaughan <[email protected]> > wrote: > > Hi All, > > > > Does anyone know of a project that can correlate the running operating > system with the latest information on the FIPS 140 approved products list. > > > > Basically, I'm looking for a command where I can run something like > `fipscertified` and get back a `0` or `1` based on the result of the > latest/updated data. > > > > Bonus points, I'd love to be able to point it at apps and have it tell me, > but that's a long shot given the statically compiled wonderland we all seem > to be living in these days. > > > > Thanks, > > > > Trevor > > > -- > > Trevor Vaughan > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > -- > > Mark Thacker > > Principal Technical Product Manager, Security, Red Hat Enterprise Linux > > Email: [email protected] > > IRC / Freenode : mthacker > > Mobile: +1-214-636-7004 > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > -- > > Trevor Vaughan > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > -- > > Mark Thacker > > Principal Technical Product Manager, Security, Red Hat Enterprise Linux > > Email: [email protected] > > IRC / Freenode : mthacker > > Mobile: +1-214-636-7004 > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > -- > > Trevor Vaughan > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 > > > -- This account not approved for unencrypted proprietary information -- > THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY > CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR > EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to > any privilege have been waived. If you are not the intended recipient, you > are hereby notified that any review, re-transmission, dissemination, > distribution, copying, conversion to hard copy, taking of action in > reliance on or other use of this communication is strictly prohibited. If > you are not the intended recipient and have received this message in error, > please notify me by return e-mail and delete or destroy all copies of this > message. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
