Re: FC12: Hidden files in /usr/bin/*

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/22/2010 07:53 AM, Ralf Corsepius wrote:
> On 01/22/2010 01:22 PM, Tomas Mraz wrote:

>> These are checksums required by FIPS-140-2 integrity verification checks
>> of the fipscheck and ssh binaries.
>
> I.e. package data.
>
> =>  These packages are non-FHS compliant and qualify as broken.

I don't believe so---it's not my line of business but I understand that

- in some circumstances (government, regulated companies) encryption
   must be certified to the FIPS 140-2 standard

- on Linux encryption (https, ssh) is handled by OpenSSL, which went
   through the FIPS certification process

- one of the conditions of FIPS certification is a capability for
   run-time consistency checks, hence the fipscheck package

- the fipscheck package checks against the checksums stored in the
   .XXX.hmac files, therefore those files are required if a system needs
   to be FIPS-compliant.

Having said that, I don't understand how does this scheme prevent 
someone from subverting the executable and creating a matching .hmac
file, so that the fipscheck fails to see the problem. I expect it's
handled properly but I don't know how.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux