[opensuse-factory] rkhunter warns : /usr/bin/.fipscheck.hmac
Hello List, rkhunter warns : "Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text " ........... - is this harmless ? ............ thanks, regards ellan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 30/09/14 a las #4, ellanios82 escribió:
Hello List,
rkhunter warns :
"Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text "
...........
- is this harmless ?
Yes, fill a bug report so it is excluded from the warnings. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 30. September 2014 schrieb Cristian Rodríguez:
El 30/09/14 a las #4, ellanios82 escribió:
rkhunter warns : "Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
- is this harmless ?
Yes, fill a bug report so it is excluded from the warnings.
I agree that the file content is harmless. Nevertheless, /usr/bin/ is for _executable_ files only, and having hidden files there is at least a bit strange IMHO. I don't know the internals of fipscheck, but IMHO non-executable files (like .fipscheck.hmac) shouldn't be located in /usr/bin/ Marcus, do you want a bugreport about this? ;-) Regards, Christian Boltz -- Failure is not an option. It comes bundled with your Microsoft product. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday 2014-09-30 22:03, Christian Boltz wrote:
rkhunter warns : "Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Nevertheless, /usr/bin/ is for _executable_ files only, and having hidden files there is at least a bit strange IMHO.
I don't know the internals of fipscheck, but IMHO non-executable files (like .fipscheck.hmac) shouldn't be located in /usr/bin/ Marcus, do you want a bugreport about this? ;-)
Where should it be instead? Maybe something in the spirit of /usr/src/debug with fully mirrored directory hierarchy? Or perhaps an xattr associated with the file? (Though that may not outlive security scrutiny.) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Sep 30, 2014 at 10:08:02PM +0200, Jan Engelhardt wrote:
On Tuesday 2014-09-30 22:03, Christian Boltz wrote:
rkhunter warns : "Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Nevertheless, /usr/bin/ is for _executable_ files only, and having hidden files there is at least a bit strange IMHO.
I don't know the internals of fipscheck, but IMHO non-executable files (like .fipscheck.hmac) shouldn't be located in /usr/bin/ Marcus, do you want a bugreport about this? ;-)
Where should it be instead? Maybe something in the spirit of /usr/src/debug with fully mirrored directory hierarchy? Or perhaps an xattr associated with the file? (Though that may not outlive security scrutiny.)
It contains a checksum for the binary that is required on start-up. We can hide it somewhere else, but it should be close. extended attributes might be too fragile. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Marcus Meissner schrieb:
On Tue, Sep 30, 2014 at 10:08:02PM +0200, Jan Engelhardt wrote:
On Tuesday 2014-09-30 22:03, Christian Boltz wrote:
rkhunter warns : "Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Nevertheless, /usr/bin/ is for _executable_ files only, and having hidden files there is at least a bit strange IMHO.
I don't know the internals of fipscheck, but IMHO non-executable files (like .fipscheck.hmac) shouldn't be located in /usr/bin/ Marcus, do you want a bugreport about this? ;-)
Where should it be instead? Maybe something in the spirit of /usr/src/debug with fully mirrored directory hierarchy? Or perhaps an xattr associated with the file? (Though that may not outlive security scrutiny.)
It contains a checksum for the binary that is required on start-up. We can hide it somewhere else, but it should be close.
extended attributes might be too fragile.
Maybe it would be possible to store the checksum in some ELF header. So it's invisible to the user and inseparable from the binary. When checking itself the code of course needs to skip this part. In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Oct 02, 2014 at 04:09:44PM +0200, Ludwig Nussel wrote:
Marcus Meissner schrieb:
On Tue, Sep 30, 2014 at 10:08:02PM +0200, Jan Engelhardt wrote:
On Tuesday 2014-09-30 22:03, Christian Boltz wrote:
rkhunter warns : "Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Nevertheless, /usr/bin/ is for _executable_ files only, and having hidden files there is at least a bit strange IMHO.
I don't know the internals of fipscheck, but IMHO non-executable files (like .fipscheck.hmac) shouldn't be located in /usr/bin/ Marcus, do you want a bugreport about this? ;-)
Where should it be instead? Maybe something in the spirit of /usr/src/debug with fully mirrored directory hierarchy? Or perhaps an xattr associated with the file? (Though that may not outlive security scrutiny.)
It contains a checksum for the binary that is required on start-up. We can hide it somewhere else, but it should be close.
extended attributes might be too fragile.
Maybe it would be possible to store the checksum in some ELF header. So it's invisible to the user and inseparable from the binary. When checking itself the code of course needs to skip this part.
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Yes. It is done mostly for alignment with SLES 12. This checking is however fipscheck only purpose in life, so you can remove it from cryptsetup I would say and it will not get installed. (dracut-fips also pulls it, but this is not mandatory to install.) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Donnerstag, 2. Oktober 2014 schrieb Ludwig Nussel:
Marcus Meissner schrieb:
On Tue, Sep 30, 2014 at 10:08:02PM +0200, Jan Engelhardt wrote:
On Tuesday 2014-09-30 22:03, Christian Boltz wrote:
I don't know the internals of fipscheck, but IMHO non-executable files (like .fipscheck.hmac) shouldn't be located in /usr/bin/ Marcus, do you want a bugreport about this? ;-)
Where should it be instead? Maybe something in the spirit of /usr/src/debug with fully mirrored directory hierarchy? Or perhaps an xattr associated with the file? (Though that may not outlive security scrutiny.)
It contains a checksum for the binary that is required on start-up. We can hide it somewhere else, but it should be close.
My first thought was /usr/share, but that should be arch-independent. What about /usr/lib* ?
Maybe it would be possible to store the checksum in some ELF header. So it's invisible to the user and inseparable from the binary. When checking itself the code of course needs to skip this part.
That sounds like the best solution, but it probably also means some implementation effort.
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please? (If it's useful, I still prefer having a "strange" file in /usr/bin [1] over removing a feature ;-) Regards, Christian Boltz [1] of course having it in another directory is even better -- Nix da, es werden bitte "funktionierende Pinguine" gebaut. ;-))) [Gerald Engl in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Christian Boltz wrote:
Hello,
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please?
I guess it's some US federal thing: https://de.wikipedia.org/wiki/Federal_Information_Processing_Standard Should anything fips* be required for openSUSE? In YaST during installation I tried to remove it, but it complained that it was required by openssh and grub2. -- Per Jessen, Zürich (16.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Fri, 03 Oct 2014 17:37:10 +0200 Per Jessen <per@computer.org> пишет:
Christian Boltz wrote:
Hello,
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please?
I guess it's some US federal thing:
https://de.wikipedia.org/wiki/Federal_Information_Processing_Standard
Should anything fips* be required for openSUSE? In YaST during installation I tried to remove it, but it complained that it was required by openssh and grub2.
Sorry? *What* was required by grub2 exactly? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andrei Borzenkov wrote:
В Fri, 03 Oct 2014 17:37:10 +0200 Per Jessen <per@computer.org> пишет:
Christian Boltz wrote:
Hello,
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please?
I guess it's some US federal thing:
https://de.wikipedia.org/wiki/Federal_Information_Processing_Standard
Should anything fips* be required for openSUSE? In YaST during installation I tried to remove it, but it complained that it was required by openssh and grub2.
Sorry? *What* was required by grub2 exactly?
I tried taboo'ing fipscheck and libfips* (I think it was) - openssh and grub2 complained about those being required. I'll double-check. -- Per Jessen, Zürich (16.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Fri, 03 Oct 2014 17:59:45 +0200 Per Jessen <per@computer.org> пишет:
Andrei Borzenkov wrote:
В Fri, 03 Oct 2014 17:37:10 +0200 Per Jessen <per@computer.org> пишет:
Christian Boltz wrote:
Hello,
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please?
I guess it's some US federal thing:
https://de.wikipedia.org/wiki/Federal_Information_Processing_Standard
Should anything fips* be required for openSUSE? In YaST during installation I tried to remove it, but it complained that it was required by openssh and grub2.
Sorry? *What* was required by grub2 exactly?
I tried taboo'ing fipscheck and libfips* (I think it was) - openssh and grub2 complained about those being required. I'll double-check.
What do you mean "grub2 complained"? You mean "yast complained these are required for grub2"? There is no such dependency in any grub2 RPM - it is linked with libdevmapper, libfreetype, libfuse and liblzma. And fips* is not listed as explicit dependency either. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 2014-10-03 at 20:34 +0400, Andrei Borzenkov wrote:
В Fri, 03 Oct 2014 17:59:45 +0200 Per Jessen <per@computer.org> пишет:
Andrei Borzenkov wrote:
В Fri, 03 Oct 2014 17:37:10 +0200 Per Jessen <per@computer.org> пишет:
Christian Boltz wrote:
Hello,
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please?
I guess it's some US federal thing:
https://de.wikipedia.org/wiki/Federal_Information_Processing_Standard
Should anything fips* be required for openSUSE? In YaST during installation I tried to remove it, but it complained that it was required by openssh and grub2.
Sorry? *What* was required by grub2 exactly?
I tried taboo'ing fipscheck and libfips* (I think it was) - openssh and grub2 complained about those being required. I'll double-check.
What do you mean "grub2 complained"? You mean "yast complained these are required for grub2"? There is no such dependency in any grub2 RPM - it is linked with libdevmapper, libfreetype, libfuse and liblzma. And fips* is not listed as explicit dependency either.
The chain is easy to find, no? fipscheck is required by libfibscheck1 is required by libcryptsetup4 is required by systemd... and as we all know: systemd is rather essential to boot a modern openSUSE system. Cheers, Dominique (and for the record: FIPS is a certification level which is probably important for SLE, which likely strives for a FIPS-140 certification. As openSUSE will likely never throw the money in to get such a cert, it's less important, but the tools can still make sense there). -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello Dominique and all, On 2014-10-03 T 18:54 Dominique Leuenberger wrote:
([...] FIPS is a certification level which is probably important for SLE, which likely strives for a FIPS-140 certification.
Yes, we do strive for a FIPS 140-2 validation for several security modules. See the public list of "Modules in Process" at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
As openSUSE will likely never throw the money in to get such a cert, it's less important, but the tools can still make sense there).
I agree, but I am obviously biased, ... so long - MgE -- Matthias G. Eckermann Senior Product Manager SUSE® Linux Enterprise SUSE LINUX Products GmbH Maxfeldstraße 5 90409 Nürnberg Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Matthias G. Eckermann wrote:
Hello Dominique and all,
On 2014-10-03 T 18:54 Dominique Leuenberger wrote:
([...] FIPS is a certification level which is probably important for SLE, which likely strives for a FIPS-140 certification.
Yes, we do strive for a FIPS 140-2 validation for several security modules. See the public list of "Modules in Process" at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
As openSUSE will likely never throw the money in to get such a cert, it's less important, but the tools can still make sense there).
I agree, but I am obviously biased, ...
I'm not sure if the tools make sense in openSUSE, but it's probably not important. I was only looking through the list of stuff selected in the minimal text-mode install and trying to weed out unnecessary stuff. (for a faster, not smaller, install). -- Per Jessen, Zürich (15.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andrei Borzenkov wrote:
В Fri, 03 Oct 2014 17:59:45 +0200 Per Jessen <per@computer.org> пишет:
Andrei Borzenkov wrote:
В Fri, 03 Oct 2014 17:37:10 +0200 Per Jessen <per@computer.org> пишет:
Christian Boltz wrote:
Hello,
In the mean time we can disable this fips stuff for openSUSE I guess as openSUSE won't be validated for fips anyways, right?
Can you explain what this "fips stuff" is, please?
I guess it's some US federal thing:
https://de.wikipedia.org/wiki/Federal_Information_Processing_Standard
Should anything fips* be required for openSUSE? In YaST during installation I tried to remove it, but it complained that it was required by openssh and grub2.
Sorry? *What* was required by grub2 exactly?
I tried taboo'ing fipscheck and libfips* (I think it was) - openssh and grub2 complained about those being required. I'll double-check.
What do you mean "grub2 complained"? You mean "yast complained these are required for grub2"? There is no such dependency in any grub2 RPM - it is linked with libdevmapper, libfreetype, libfuse and liblzma. And fips* is not listed as explicit dependency either.
Sorry, I misread the messages - here's the first window after I taboo'ed fipscheck: http://files.jessen.ch/mirage-screenshot-yast1.jpeg Then I taboo'ed libfipscheck1, which produced this window: http://files.jessen.ch/mirage-screenshot-yast2.jpeg -- Per Jessen, Zürich (15.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (10)
-
Andrei Borzenkov -
Christian Boltz -
Cristian Rodríguez -
Dimstar / Dominique Leuenberger -
ellanios82 -
Jan Engelhardt -
Ludwig Nussel -
Marcus Meissner -
Matthias G. Eckermann -
Per Jessen