-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fips plugin does not detect host fips mode properly #1745
Comments
I think #1754 may explain why FIPS detection isn't working properly. |
running Ohai version 18.1.4, Rocky (RHEL) 8.8 #1754 does provide some historical background and moves things in the right direction, but AFAICT, hasn't solved the underlying problem. On both windows and Linux (RHEL/Rocky specifically here), with FIPS enabled and acknowledged as such by chef when a chef client (v18.2.7 here) run starts up it says I know FIPS to be enabled on Windows because of the registry setting, and on RHEL because the kernel argument It's a bit confusing because while the attribute's name seems to indicate that Ohai is looking at the kernel configuration, the underlying implementation[1] is querying OpenSSL. To be fair to Ohai, technically the implementation is just passing the answer it gets from the OpenSSL gem: It's almost as if Ohai says it's looking at the kernel, but is really querying openssl while the startup message says it is asking OpenSSL but getting its answer from the kernel config? To complicate things further I believe (please correct me here) because FIPS "mode" is multiple things, the Linux kernel and openssl could be different. That is, setting aside the RHEL-specific [1] https://github.com/chef/ohai/blob/main/lib/ohai/plugins/fips.rb#L34 |
RIght, this gets at the question, "What does it mean to be in FIPS mode?" It depends on what level you mean:
|
Thanks. That insight helps confirm my understanding of the layers of "what is FIPS mode?" fips-enabled vs fips-validated further muddies the waters. For example, OpenSSL 3.0.8 is FIPS-validated, but 3.0.9 is not. You can easily compile the openssl FIPS module and get it running, but it seems as if unless you're doing it against the 3.0.8 source, you might have FIPS enabled and functioning perfectly well but are not in technical compliance. I honestly don't know how this works for the kernel. FIPS is one of those standards for which the "validated" seal of approval is time consuming, expensive and sometimes only applies to one specific version of a product. From my reading of it, many projects (including OpenSSL and the kernel) have historically refused or later only reluctantly decided to deal with it. I think the best Ohai can do is cover the enabled part. From there it's a question of communication. What information should Ohai provide and how to do so clearly. Maybe something along these lines:
I'm also starting to question the current implementation of the Ohai FIPS plugin wondering if it really is looking at the system openssl as we expect, or if it is looking at the ssl libraries bundled with the chef client package? Maybe this goes back to the earlier question of what is chef doing when it starts up to see that FIPS is enabled and how is it making this determination compared to how Ohai is doing it presently. |
Description
The "fips" plugin improperly detects whether the host is in FIPS mode or not. This is not a bug in the existing code per se but a larger flaw in the overall implementation of the goal.
Ohai Version
16.8.1
Platform Version
RHEL 7 (at least)
Ohai Output
Note below that a host with no fips mode enablement gets the same result as a host with fips mode turned on:
See https://github.com/chef/ohai/blob/main/lib/ohai/plugins/fips.rb#L33 where checking
OpenSSL::OPENSSL_FIPS
is used to set a true/false flag indicating, theoretically, that fips mode is on (true) or off (false).The text was updated successfully, but these errors were encountered: