CFEngine running under FIPS

14 views
Skip to first unread message

Alex Malowany

unread,
Jan 24, 2025, 11:00:17 AMJan 24
to help-cfengine
Hi,

We're running into a problem running CFEngine on Red Hat linux under FIPS, using the rpm packages downloaded from https://cfengine.com/downloads/cfengine-community/

The same problem doesn't appear to be present in the rpm packages as downloaded from the yum repo described there.

Tested with redhat and rocky linux, versions 8, 9 and with cfengine-community versions 3.18.x, 3.21.6, 3.24.1


## baseline test

When the OS is booted without FIPS enabled there is no problem.

```
$ sysctl crypto.fips_enabled
crypto.fips_enabled = 0
$ /var/cfengine/bin/cf-promises -df /var/cfengine/share/CoreBase/masterfiles/update.cf | grep -i hash
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/update.cf to MD5=f917539c79f1d88570fc95c37656d9bb
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/cfe_internal/update/lib.cf to MD5=e1fb6c176ffcfce0b9bda14f95d2c683
```

## failure under FIPS

When the OS is booted with FIPS enabled, all hashes return 00000000000000000000000000000000

```
$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1
$ /var/cfengine/bin/cf-promises -df /var/cfengine/share/CoreBase/masterfiles/update.cf | grep -i hash
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/update.cf to MD5=00000000000000000000000000000000
debug: Hashed policy file /var/cfengine/share/CoreBase/masterfiles/cfe_internal/update/lib.cf to MD5=00000000000000000000000000000000
verbose: Skipping loading of duplicate (detected by hash) policy file /var/cfengine/share/CoreBase/masterfiles/cfe_internal/update/lib.cf
```


I would guess this is due to the MD5 hashing function being disabled under FIPS. But when the same test is run using the same version installed from the yum repo, the problem is not seen.

Is it possible for us to override the default digest used? Or is there something else we can do to fix the default behaviour?

Any help would be appreciated.

Thank you,
----------
Alex Malowany
Computer Systems Administrator
Scientific Computing
Diamond Light Source Ltd.

Nick Anderson

unread,
Jan 24, 2025, 1:39:09 PMJan 24
to help-c...@googlegroups.com, Alex Malowany

Hi,

We're running into a problem running CFEngine on Red Hat linux under FIPS, using the rpm packages downloaded from https://cfengine.com/downloads/cfengine-community/

The same problem doesn't appear to be present in the rpm packages as downloaded from the yum repo described there.

It's expected that CFEngine Community doesn't function when FIPS mode is enabled but CFEngine Enterprise does work. It's strange and unexpected that you see any difference in the behavior of Community if using the same package downloaded from a different source.

Is it possible for us to override the default digest used? Or is there something else we can do to fix the default behaviour?

Any help would be appreciated.

It's open code, so you could certainly modify it, but CFEngine Enterprise would be my recommendation.

Alex Malowany

unread,
Jan 27, 2025, 4:24:01 AMJan 27
to help-cfengine
Thank you, I'll take that back to the team.
Reply all
Reply to author
Forward
0 new messages