Project

General

Profile

Feature #3511

As a security person, I would like Foreman to run in FIPS mode

Added by Dmitri Dolguikh about 5 years ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Related issues

Related to Katello - Feature #5313: FIPS compliancyNew2014-04-21
Related to Foreman - Feature #21748: Replace crypto- and hash-functions unapproved by FIPS with FIPS-approved onesClosed2017-11-23
Related to Foreman - Feature #21749: Create CI environment with FIPS enabledNew2017-11-23
Related to Foreman - Feature #21750: Investigate Rails caching with FIPS enabledResolved2017-11-23
Related to Foreman - Feature #21751: Investigate interoperability with Salt with FIPS enabledNew2017-11-23
Related to Foreman - Feature #21752: Investigate interoperability with BMC/IPMI with FIPS enabledNew2017-11-23
Related to Foreman - Feature #21753: Introduce verification of 3rd-party ssl certificates for FIPS-approved hash functionsNew2017-11-23
Related to Foreman - Feature #21754: Investigate interoperability with Puppet with FIPS enabledResolved2017-11-23
Related to Installer - Feature #21755: Update dhcpd puppet module to use FIPS-approved hash function for omapi shared secretClosed2017-11-23
Related to Installer - Feature #21756: Update bind puppet module to use FIPS-approved hash function for dhcpd shared secretRejected2017-11-23
Related to Foreman - Feature #21875: Add support for sha512 grub passwords to provisioning templatesClosed2017-12-05
Related to Katello - Bug #23363: Katello uses md5hash function incompatible with FIPS-enabled environmentsClosed2018-04-23
Related to Katello - Bug #24732: FIPS Scheduled synchronization task ends with PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_katello_repository_rpms_on_rpm_id_and_repository_id"Resolved
Related to Katello - Bug #24889: Docker repository sync on FIPS system fails with TypeError: can't quote ActiveSupport::HashWithIndifferentAccessResolved
Has duplicate Foreman - Bug #12314: Foreman does not work with FIPS enabledDuplicate2015-10-26
Blocked by Foreman - Bug #22583: Replace MD5 by SHA1 for apipie cache checksumClosed2018-02-14
Blocked by Foreman - Bug #23128: Deface uses MD5 and doesn't work in FIPS-enable environmentResolved
Blocked by OpenSCAP - Bug #23130: unable to install theforeman-foreman_scap_client in FIPS-enabled environmentRejected2018-04-05
Blocked by Packaging - Bug #23312: angular-rails-templates uses MD5 causing problems FIPS-enabled envrionmentsClosed
Blocked by Foreman - Tracker #21834: Rails 5.2 upgrade tasksClosed

Blocked by Foreman - Feature #22119: Replace MD5 hashes with SHAClosed
Blocked by Foreman - Bug #25447: Unable to create puppet certificate request from RHEL5 with fips enabledNew

History

#1 Updated by Dmitri Dolguikh about 5 years ago

- setup foreman, smart_proxy, and puppet in FIPS mode
- see what breaks

#2 Updated by Eric Helms over 3 years ago

#3 Updated by Dominic Cleal about 3 years ago

  • Has duplicate Bug #12314: Foreman does not work with FIPS enabled added

#4 Updated by Dominic Cleal about 3 years ago

Linked ticket #12314 has some specifics.

#5 Updated by Trevor Vaughan almost 3 years ago

Just wanted to make a note that a lot of the issue here may be that ActiveRecord does not support FIPS mode due to the explicit use of MD5.

Relevant Search: https://github.com/rails/rails/search?utf8=%E2%9C%93&q=md5

#6 Updated by Dmitri Dolguikh about 1 year ago

Please see https://groups.google.com/forum/#!topic/foreman-dev/CZFAY5FQl80 for the discussion of potential approaches.

#7 Updated by James Shewey about 1 year ago

  • Subject changed from As a securiyt person, I would like Foreman to run in FIPS mode to As a security person, I would like Foreman to run in FIPS mode

I have opened https://github.com/rails/rails/issues/31203 upstream for this issue. Meanwhile, it appears that forman uses Digest::MD5 in the following places:

./migrate/20140912113254_add_password_hash_to_operatingsystem.rb
./migrate/20150428110835_change_os_default_password_hash.rb
./app/controllers/api/v1/operatingsystems_controller.rb
./app/controllers/api/v2/operatingsystems_controller.rb
./app/helpers/unattended_helper.rb
./app/helpers/application_helper.rb
./app/models/setting/email.rb
./app/services/password_crypt.rb
./app/views/unattended/provisioning_templates/snippet/_bmc_nic_setup.erb

https://github.com/theforeman/foreman/search?utf8=%E2%9C%93&q=md5&type=

#8 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21748: Replace crypto- and hash-functions unapproved by FIPS with FIPS-approved ones added

#9 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21749: Create CI environment with FIPS enabled added

#10 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21750: Investigate Rails caching with FIPS enabled added

#11 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21751: Investigate interoperability with Salt with FIPS enabled added

#12 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21752: Investigate interoperability with BMC/IPMI with FIPS enabled added

#13 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21753: Introduce verification of 3rd-party ssl certificates for FIPS-approved hash functions added

#14 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21754: Investigate interoperability with Puppet with FIPS enabled added

#15 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21755: Update dhcpd puppet module to use FIPS-approved hash function for omapi shared secret added

#16 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21756: Update bind puppet module to use FIPS-approved hash function for dhcpd shared secret added

#18 Updated by Dmitri Dolguikh about 1 year ago

  • Related to Feature #21875: Add support for sha512 grub passwords to provisioning templates added

#19 Updated by Ivan Necas 10 months ago

  • Blocked by Bug #22583: Replace MD5 by SHA1 for apipie cache checksum added

#20 Updated by Ivan Necas 9 months ago

  • Blocked by Bug #23128: Deface uses MD5 and doesn't work in FIPS-enable environment added

#21 Updated by Peter Ondrejka 9 months ago

  • Blocked by Bug #23130: unable to install theforeman-foreman_scap_client in FIPS-enabled environment added

#22 Updated by Peter Ondrejka 8 months ago

  • Blocked by Bug #23312: angular-rails-templates uses MD5 causing problems FIPS-enabled envrionments added

#23 Updated by Peter Ondrejka 8 months ago

  • Related to Bug #23363: Katello uses md5hash function incompatible with FIPS-enabled environments added

#24 Updated by Michael Moll 8 months ago

#25 Updated by Peter Ondrejka 4 months ago

  • Related to Bug #24732: FIPS Scheduled synchronization task ends with PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_katello_repository_rpms_on_rpm_id_and_repository_id" added

#26 Updated by Peter Ondrejka 3 months ago

  • Related to Bug #24889: Docker repository sync on FIPS system fails with TypeError: can't quote ActiveSupport::HashWithIndifferentAccess added

#27 Updated by Ivan Necas 3 months ago

#28 Updated by Ivan Necas 2 months ago

Anyone with permissions, could you switch status on this to closed, as we're not aware of anything else right now to address, and things should just work(TM) in 1.20

#29 Updated by Michael Moll 2 months ago

  • Status changed from New to Resolved
  • Fixed in Releases 1.20.0 added

The rest is related mainly to plugins.

#30 Updated by Ondřej Pražák about 1 month ago

  • Blocked by Bug #25447: Unable to create puppet certificate request from RHEL5 with fips enabled added

Also available in: Atom PDF