Project

General

Profile

Feature #3511

As a security person, I would like Foreman to run in FIPS mode

Added by Dmitri Dolguikh about 7 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Related issues

Related to Katello - Feature #5313: FIPS compliancyRejected
Related to Foreman - Feature #21748: Replace crypto- and hash-functions unapproved by FIPS with FIPS-approved onesClosed2017-11-23
Related to Foreman - Feature #21749: Create CI environment with FIPS enabledNew2017-11-23
Related to Foreman - Feature #21750: Investigate Rails caching with FIPS enabledResolved2017-11-23
Related to Foreman - Feature #21751: Investigate interoperability with Salt with FIPS enabledNew2017-11-23
Related to Foreman - Feature #21752: Investigate interoperability with BMC/IPMI with FIPS enabledNew2017-11-23
Related to Foreman - Feature #21753: Introduce verification of 3rd-party ssl certificates for FIPS-approved hash functionsNew2017-11-23
Related to Foreman - Feature #21754: Investigate interoperability with Puppet with FIPS enabledResolved2017-11-23
Related to Installer - Feature #21755: Update dhcpd puppet module to use FIPS-approved hash function for omapi shared secretClosed2017-11-23
Related to Installer - Feature #21756: Update bind puppet module to use FIPS-approved hash function for dhcpd shared secretRejected2017-11-23
Related to Foreman - Feature #21875: Add support for sha512 grub passwords to provisioning templatesClosed2017-12-05
Related to Katello - Bug #23363: Katello uses md5hash function incompatible with FIPS-enabled environmentsClosed2018-04-23
Related to Katello - Bug #24732: FIPS Scheduled synchronization task ends with PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_katello_repository_rpms_on_rpm_id_and_repository_id"Resolved
Related to Katello - Bug #24889: Docker repository sync on FIPS system fails with TypeError: can't quote ActiveSupport::HashWithIndifferentAccessResolved
Related to Installer - Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to startDuplicate
Related to Foreman - Feature #26203: Allow provisioning hosts into FIPS modeClosed
Related to Discovery - Feature #26204: Allow provisioning hosts into FIPS modeClosed
Related to Installer - Bug #26088: httpd fails to start after installing capsule in FIPS modeClosed
Has duplicate Foreman - Bug #12314: Foreman does not work with FIPS enabledDuplicate2015-10-26
Blocked by Foreman - Bug #22583: Replace MD5 by SHA1 for apipie cache checksumClosed2018-02-14
Blocked by Foreman - Bug #23128: Deface uses MD5 and doesn't work in FIPS-enable environmentResolved
Blocked by OpenSCAP - Bug #23130: unable to install theforeman-foreman_scap_client in FIPS-enabled environmentRejected2018-04-05
Blocked by Packaging - Bug #23312: angular-rails-templates uses MD5 causing problems FIPS-enabled envrionmentsClosed
Blocked by Foreman - Tracker #21834: Rails 5.2 upgrade tasksClosed

Blocked by Foreman - Feature #22119: Replace MD5 hashes with SHAClosed
Blocked by Foreman - Bug #25447: Unable to create puppet certificate request from RHEL5 with fips enabledNew

History

#1 Updated by Dmitri Dolguikh about 7 years ago

- setup foreman, smart_proxy, and puppet in FIPS mode
- see what breaks

#2 Updated by Eric Helms over 5 years ago

#3 Updated by Dominic Cleal about 5 years ago

  • Has duplicate Bug #12314: Foreman does not work with FIPS enabled added

#4 Updated by Dominic Cleal about 5 years ago

Linked ticket #12314 has some specifics.

#5 Updated by Trevor Vaughan almost 5 years ago

Just wanted to make a note that a lot of the issue here may be that ActiveRecord does not support FIPS mode due to the explicit use of MD5.

Relevant Search: https://github.com/rails/rails/search?utf8=%E2%9C%93&q=md5

#6 Updated by Dmitri Dolguikh about 3 years ago

Please see https://groups.google.com/forum/#!topic/foreman-dev/CZFAY5FQl80 for the discussion of potential approaches.

#7 Updated by James Shewey about 3 years ago

  • Subject changed from As a securiyt person, I would like Foreman to run in FIPS mode to As a security person, I would like Foreman to run in FIPS mode

I have opened https://github.com/rails/rails/issues/31203 upstream for this issue. Meanwhile, it appears that forman uses Digest::MD5 in the following places:

./migrate/20140912113254_add_password_hash_to_operatingsystem.rb
./migrate/20150428110835_change_os_default_password_hash.rb
./app/controllers/api/v1/operatingsystems_controller.rb
./app/controllers/api/v2/operatingsystems_controller.rb
./app/helpers/unattended_helper.rb
./app/helpers/application_helper.rb
./app/models/setting/email.rb
./app/services/password_crypt.rb
./app/views/unattended/provisioning_templates/snippet/_bmc_nic_setup.erb

https://github.com/theforeman/foreman/search?utf8=%E2%9C%93&q=md5&type=

#8 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21748: Replace crypto- and hash-functions unapproved by FIPS with FIPS-approved ones added

#9 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21749: Create CI environment with FIPS enabled added

#10 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21750: Investigate Rails caching with FIPS enabled added

#11 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21751: Investigate interoperability with Salt with FIPS enabled added

#12 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21752: Investigate interoperability with BMC/IPMI with FIPS enabled added

#13 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21753: Introduce verification of 3rd-party ssl certificates for FIPS-approved hash functions added

#14 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21754: Investigate interoperability with Puppet with FIPS enabled added

#15 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21755: Update dhcpd puppet module to use FIPS-approved hash function for omapi shared secret added

#16 Updated by Dmitri Dolguikh about 3 years ago

  • Related to Feature #21756: Update bind puppet module to use FIPS-approved hash function for dhcpd shared secret added

#18 Updated by Dmitri Dolguikh almost 3 years ago

  • Related to Feature #21875: Add support for sha512 grub passwords to provisioning templates added

#19 Updated by Ivan Necas almost 3 years ago

  • Blocked by Bug #22583: Replace MD5 by SHA1 for apipie cache checksum added

#20 Updated by Ivan Necas over 2 years ago

  • Blocked by Bug #23128: Deface uses MD5 and doesn't work in FIPS-enable environment added

#21 Updated by Peter Ondrejka over 2 years ago

  • Blocked by Bug #23130: unable to install theforeman-foreman_scap_client in FIPS-enabled environment added

#22 Updated by Peter Ondrejka over 2 years ago

  • Blocked by Bug #23312: angular-rails-templates uses MD5 causing problems FIPS-enabled envrionments added

#23 Updated by Peter Ondrejka over 2 years ago

  • Related to Bug #23363: Katello uses md5hash function incompatible with FIPS-enabled environments added

#24 Updated by Anonymous over 2 years ago

#25 Updated by Peter Ondrejka over 2 years ago

  • Related to Bug #24732: FIPS Scheduled synchronization task ends with PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_katello_repository_rpms_on_rpm_id_and_repository_id" added

#26 Updated by Peter Ondrejka about 2 years ago

  • Related to Bug #24889: Docker repository sync on FIPS system fails with TypeError: can't quote ActiveSupport::HashWithIndifferentAccess added

#27 Updated by Ivan Necas about 2 years ago

#28 Updated by Ivan Necas about 2 years ago

Anyone with permissions, could you switch status on this to closed, as we're not aware of anything else right now to address, and things should just work(TM) in 1.20

#29 Updated by Anonymous about 2 years ago

  • Status changed from New to Resolved
  • Fixed in Releases 1.20.0 added

The rest is related mainly to plugins.

#30 Updated by Ondřej Pražák about 2 years ago

  • Blocked by Bug #25447: Unable to create puppet certificate request from RHEL5 with fips enabled added

#31 Updated by Ivan Necas almost 2 years ago

  • Related to Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start added

#32 Updated by Ivan Necas almost 2 years ago

  • Related to Feature #26203: Allow provisioning hosts into FIPS mode added

#33 Updated by Ivan Necas almost 2 years ago

  • Related to Feature #26204: Allow provisioning hosts into FIPS mode added

#34 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Related to Bug #26088: httpd fails to start after installing capsule in FIPS mode added

Also available in: Atom PDF