FC12: Hidden files in /usr/bin/*
Przemek Klosowski
przemek.klosowski at nist.gov
Fri Jan 22 15:24:21 UTC 2010
On 01/22/2010 07:53 AM, Ralf Corsepius wrote:
> On 01/22/2010 01:22 PM, Tomas Mraz wrote:
>> These are checksums required by FIPS-140-2 integrity verification checks
>> of the fipscheck and ssh binaries.
>
> I.e. package data.
>
> => These packages are non-FHS compliant and qualify as broken.
I don't believe so---it's not my line of business but I understand that
- in some circumstances (government, regulated companies) encryption
must be certified to the FIPS 140-2 standard
- on Linux encryption (https, ssh) is handled by OpenSSL, which went
through the FIPS certification process
- one of the conditions of FIPS certification is a capability for
run-time consistency checks, hence the fipscheck package
- the fipscheck package checks against the checksums stored in the
.XXX.hmac files, therefore those files are required if a system needs
to be FIPS-compliant.
Having said that, I don't understand how does this scheme prevent
someone from subverting the executable and creating a matching .hmac
file, so that the fipscheck fails to see the problem. I expect it's
handled properly but I don't know how.
More information about the devel
mailing list