AHHH. Well, checking the signatures of the RPMs verses what we posted in the certification would be a start. (sorry, manual there unless you automate using Ansible or OpenSCAP perhaps) You can check that the kernel is running in FIPS mode, of course, but I'm not sure that's all you want to check. BTW : That process of checking that the system is configured in FIPS does get easier in the future.....
On Mon, Oct 29, 2018 at 4:03 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Actually, Mark, you've kind of nailed it on the head for me.
I would like to be able to know that the system is the way it's *supposed* to be instead of just kind of doing my best and hoping that something didn't break.
I was hoping that the validated modules area would have an XML file or something that could be downloaded and processed :-|.
Anyway, it seems like it would be an appropriate addition to the SCAP scans since there is already the requirement to be enabled being checked for various profiles. I was just hoping that someone had magically created it.
Thanks,
Trevor
On Mon, Oct 29, 2018 at 3:59 PM Mark Thacker mthacker@redhat.com wrote:
We've definitely talked about this and there isn't a clear programmatic means to achieve this. Of course, we do log which specific version of the libraries that we build and test against in our certification report. So, those could be used to compare a running system against the certification report.
Yes, I also understand that sometimes the desire is to be able to show that CentOS or Fedora is NOT FIPS certified verses RHEL. Of course, that assumes that the RHEL you are running on IS actually certified.
On Mon, Oct 29, 2018 at 3:39 PM Gabe Alford redhatrises@gmail.com wrote:
Outside of going to https://csrc.nist.gov/projects/cryptographic-module-validation-program/valid... and clicking `search` with empty search parameters, don't know of anything.
On Mon, Oct 29, 2018 at 1:33 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Hi All,
Does anyone know of a project that can correlate the running operating system with the latest information on the FIPS 140 approved products list.
Basically, I'm looking for a command where I can run something like `fipscertified` and get back a `0` or `1` based on the result of the latest/updated data.
Bonus points, I'd love to be able to point it at apps and have it tell me, but that's a long shot given the statically compiled wonderland we all seem to be living in these days.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Mark Thacker Principal Technical Product Manager, Security, Red Hat Enterprise Linux Email: mthacker@redhat.com IRC / Freenode : mthacker Mobile: +1-214-636-7004
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...