On 10/29/18 4:11 PM, Mark Thacker wrote:
AHHH. Well, checking the signatures of the RPMs verses what we posted in the certification would be a start. (sorry, manual there unless you automate using Ansible or OpenSCAP perhaps) You can check that the kernel is running in FIPS mode, of course, but I'm not sure that's all you want to check.
Current content evaluates FIPS enablement (e.g grub fips=1).
We can *easily* enhance these checks to ensure the appropriate RPMs are installed to. If this would be valuable, it's very very quick/trivial to do.
BTW : That process of checking that the system is configured in FIPS does get easier in the future.....
hayyyyy I thought the first rule of $thingThatShallNotBeNamed was to not talk about $thingThatShallNotBeNamed in public? Don't worry, I won't tell ;)