Chuck, This is a very philosophical question, and I tend to lean towards what I see as RH’s perspective. FIPS certification is more than just turning on ciphers, which you can do on CentOS, but doing so only does the technical part, but it’s not the whole chain. If you look at the DISA STIG checks for FIPS ciphers, they check not only that sshd_config is correct, but also that you’re running RH (even if you turn off the OS check). It doesn’t do this for every check, but just the checks related to FIPS.
If I can give an analogy, FIPS is like a signature on a piece of paper. Configuring FIPS is like signing a document, but having that signature notarized, while not technically doing anything to the signed piece of paper, gives the paper much more legal weight. However, that doesn’t make an unnotarized signed document worthless. So, having a CentOS system with proper technical configurations in place is better than not doing so (like having a will on a piece of paper in the top drawer of your dresser is better than not having a will), calling that configuration “FIPS enabled” is not the case. It’s “just” a server with certain ciphers enabled. So, if I were king for a day, I would propose the idea that having a server pass a “FIPS valid” check would requiring passing other checks (ciphers, kernel FIPS configuration, supported RHEL OS). A hardened CentOS system could be configured to pass the cipher check and kernel checks, but fail the supported OS and the meta FIPS validated check. -- Tom Albrecht III, CISSP-ISSEP, GPEN, RHCSA Cyber Architect, Lockheed Martin RMS [email protected]<mailto:[email protected]> – 610-906-4356 Please consider supporting my work in Africa https://www.gofundme.com/computer-network-for-abi From: Chuck Atkins <[email protected]> Sent: Friday, October 11, 2019 1:11 PM To: SCAP Security Guide <[email protected]> Subject: EXTERNAL: Excessive FIPS checks So, I tied doing this via github but it seems the issue and PR were just abruptly closed within 20m without any meaningful conversation so I'm hoping that there can be a more fruitful discussion on list here. https://github.com/ComplianceAsCode/content/issues/4917 https://github.com/ComplianceAsCode/content/pull/4920 The issue in question is that any FIPS related check includes a test for whether or not the OS is FIPS certified. That seems to make sense as a stand alone rule but shouldn't that be orthogonal to whether or not SSH is configured to use FIPS approved crypto algorithms or if AIDE is configured to exclusively use FIPS approved hashes? The rule isn't whether or not ssh is FIPS approved but just whether or not it's configuration is such that only approved ciphers are used. ---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc. (518) 881-1183
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
