Project

General

Profile

Actions

Feature #3511

closed

As a security person, I would like Foreman to run in FIPS mode

Added by Anonymous over 10 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Related issues 26 (5 open21 closed)

Related to Katello - Feature #5313: FIPS compliancyRejectedActions
Related to Foreman - Feature #21748: Replace crypto- and hash-functions unapproved by FIPS with FIPS-approved onesClosed11/23/2017Actions
Related to Foreman - Feature #21749: Create CI environment with FIPS enabledNew11/23/2017Actions
Related to Foreman - Feature #21750: Investigate Rails caching with FIPS enabledResolved11/23/2017Actions
Related to Foreman - Feature #21751: Investigate interoperability with Salt with FIPS enabledNew11/23/2017Actions
Related to Foreman - Feature #21752: Investigate interoperability with BMC/IPMI with FIPS enabledNew11/23/2017Actions
Related to Foreman - Feature #21753: Introduce verification of 3rd-party ssl certificates for FIPS-approved hash functionsNew11/23/2017Actions
Related to Foreman - Feature #21754: Investigate interoperability with Puppet with FIPS enabledResolved11/23/2017Actions
Related to Installer - Feature #21755: Update dhcpd puppet module to use FIPS-approved hash function for omapi shared secretClosedEwoud Kohl van Wijngaarden11/23/2017Actions
Related to Installer - Feature #21756: Update bind puppet module to use FIPS-approved hash function for dhcpd shared secretRejected11/23/2017Actions
Related to Foreman - Feature #21875: Add support for sha512 grub passwords to provisioning templatesClosed12/05/2017Actions
Related to Katello - Bug #23363: Katello uses md5hash function incompatible with FIPS-enabled environmentsClosed04/23/2018Actions
Related to Katello - Bug #24732: FIPS Scheduled synchronization task ends with PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_katello_repository_rpms_on_rpm_id_and_repository_id"ResolvedSamir JhaActions
Related to Katello - Bug #24889: Docker repository sync on FIPS system fails with TypeError: can't quote ActiveSupport::HashWithIndifferentAccessResolvedActions
Related to Installer - Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to startDuplicateIvan NecasActions
Related to Foreman - Feature #26203: Allow provisioning hosts into FIPS modeClosedMarek HulánActions
Related to Discovery - Feature #26204: Allow provisioning hosts into FIPS modeClosedIvan NecasActions
Related to Installer - Bug #26088: httpd fails to start after installing capsule in FIPS modeClosedIvan NecasActions
Has duplicate Foreman - Bug #12314: Foreman does not work with FIPS enabledDuplicate10/26/2015Actions
Blocked by Foreman - Bug #22583: Replace MD5 by SHA1 for apipie cache checksumClosedIvan Necas02/14/2018Actions
Blocked by Foreman - Bug #23128: Deface uses MD5 and doesn't work in FIPS-enable environmentResolvedActions
Blocked by OpenSCAP - Bug #23130: unable to install theforeman-foreman_scap_client in FIPS-enabled environmentRejected04/05/2018Actions
Blocked by Packaging - Bug #23312: angular-rails-templates uses MD5 causing problems FIPS-enabled envrionmentsClosedActions
Blocked by Foreman - Tracker #21834: Rails 5.2 upgrade tasksClosed

Actions
Blocked by Foreman - Feature #22119: Replace MD5 hashes with SHAClosedIvan NecasActions
Blocked by Foreman - Bug #25447: Unable to create puppet certificate request from RHEL5 with fips enabledNewActions
Actions #1

Updated by Anonymous over 10 years ago

- setup foreman, smart_proxy, and puppet in FIPS mode
- see what breaks

Actions #2

Updated by Eric Helms over 8 years ago

Actions #3

Updated by Dominic Cleal over 8 years ago

  • Has duplicate Bug #12314: Foreman does not work with FIPS enabled added
Actions #4

Updated by Dominic Cleal over 8 years ago

Linked ticket #12314 has some specifics.

Actions #5

Updated by Trevor Vaughan about 8 years ago

Just wanted to make a note that a lot of the issue here may be that ActiveRecord does not support FIPS mode due to the explicit use of MD5.

Relevant Search: https://github.com/rails/rails/search?utf8=%E2%9C%93&q=md5

Actions #6

Updated by Anonymous over 6 years ago

Please see https://groups.google.com/forum/#!topic/foreman-dev/CZFAY5FQl80 for the discussion of potential approaches.

Actions #7

Updated by James Shewey over 6 years ago

  • Subject changed from As a securiyt person, I would like Foreman to run in FIPS mode to As a security person, I would like Foreman to run in FIPS mode

I have opened https://github.com/rails/rails/issues/31203 upstream for this issue. Meanwhile, it appears that forman uses Digest::MD5 in the following places:

./migrate/20140912113254_add_password_hash_to_operatingsystem.rb
./migrate/20150428110835_change_os_default_password_hash.rb
./app/controllers/api/v1/operatingsystems_controller.rb
./app/controllers/api/v2/operatingsystems_controller.rb
./app/helpers/unattended_helper.rb
./app/helpers/application_helper.rb
./app/models/setting/email.rb
./app/services/password_crypt.rb
./app/views/unattended/provisioning_templates/snippet/_bmc_nic_setup.erb

https://github.com/theforeman/foreman/search?utf8=%E2%9C%93&q=md5&type=

Actions #8

Updated by Anonymous over 6 years ago

  • Related to Feature #21748: Replace crypto- and hash-functions unapproved by FIPS with FIPS-approved ones added
Actions #9

Updated by Anonymous over 6 years ago

  • Related to Feature #21749: Create CI environment with FIPS enabled added
Actions #10

Updated by Anonymous over 6 years ago

  • Related to Feature #21750: Investigate Rails caching with FIPS enabled added
Actions #11

Updated by Anonymous over 6 years ago

  • Related to Feature #21751: Investigate interoperability with Salt with FIPS enabled added
Actions #12

Updated by Anonymous over 6 years ago

  • Related to Feature #21752: Investigate interoperability with BMC/IPMI with FIPS enabled added
Actions #13

Updated by Anonymous over 6 years ago

  • Related to Feature #21753: Introduce verification of 3rd-party ssl certificates for FIPS-approved hash functions added
Actions #14

Updated by Anonymous over 6 years ago

  • Related to Feature #21754: Investigate interoperability with Puppet with FIPS enabled added
Actions #15

Updated by Anonymous over 6 years ago

  • Related to Feature #21755: Update dhcpd puppet module to use FIPS-approved hash function for omapi shared secret added
Actions #16

Updated by Anonymous over 6 years ago

  • Related to Feature #21756: Update bind puppet module to use FIPS-approved hash function for dhcpd shared secret added
Actions #17

Updated by Anonymous over 6 years ago

Actions #18

Updated by Anonymous over 6 years ago

  • Related to Feature #21875: Add support for sha512 grub passwords to provisioning templates added
Actions #19

Updated by Ivan Necas about 6 years ago

  • Blocked by Bug #22583: Replace MD5 by SHA1 for apipie cache checksum added
Actions #20

Updated by Ivan Necas about 6 years ago

  • Blocked by Bug #23128: Deface uses MD5 and doesn't work in FIPS-enable environment added
Actions #21

Updated by Peter Ondrejka about 6 years ago

  • Blocked by Bug #23130: unable to install theforeman-foreman_scap_client in FIPS-enabled environment added
Actions #22

Updated by Peter Ondrejka almost 6 years ago

  • Blocked by Bug #23312: angular-rails-templates uses MD5 causing problems FIPS-enabled envrionments added
Actions #23

Updated by Peter Ondrejka almost 6 years ago

  • Related to Bug #23363: Katello uses md5hash function incompatible with FIPS-enabled environments added
Actions #24

Updated by Anonymous almost 6 years ago

Actions #25

Updated by Peter Ondrejka over 5 years ago

  • Related to Bug #24732: FIPS Scheduled synchronization task ends with PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "index_katello_repository_rpms_on_rpm_id_and_repository_id" added
Actions #26

Updated by Peter Ondrejka over 5 years ago

  • Related to Bug #24889: Docker repository sync on FIPS system fails with TypeError: can't quote ActiveSupport::HashWithIndifferentAccess added
Actions #27

Updated by Ivan Necas over 5 years ago

Actions #28

Updated by Ivan Necas over 5 years ago

Anyone with permissions, could you switch status on this to closed, as we're not aware of anything else right now to address, and things should just work(TM) in 1.20

Actions #29

Updated by Anonymous over 5 years ago

  • Status changed from New to Resolved
  • Fixed in Releases 1.20.0 added

The rest is related mainly to plugins.

Actions #30

Updated by Ondřej Pražák over 5 years ago

  • Blocked by Bug #25447: Unable to create puppet certificate request from RHEL5 with fips enabled added
Actions #31

Updated by Ivan Necas about 5 years ago

  • Related to Bug #24974: The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start added
Actions #32

Updated by Ivan Necas about 5 years ago

  • Related to Feature #26203: Allow provisioning hosts into FIPS mode added
Actions #33

Updated by Ivan Necas about 5 years ago

  • Related to Feature #26204: Allow provisioning hosts into FIPS mode added
Actions #34

Updated by Ewoud Kohl van Wijngaarden about 5 years ago

  • Related to Bug #26088: httpd fails to start after installing capsule in FIPS mode added
Actions

Also available in: Atom PDF