Closed agit05 closed 7 years ago
Some of the answers can be found here: https://access.redhat.com/solutions/2853221
Still, I am more woried about the sha1 message.
If you're applying OpenSCAP/SCAP Security Guide remediations, would recommend pinging that community directly. Your question will likely get much more attention from the content-creation community, as they'll be the ones to patch anything thats causing issues :)
SHA1 is now depreciated, the recommendation is to move to SHA2 or SHA256 if possible.
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
I am installing CentOS 7 and encountered the same error message during boot just after the installation, i.e. "dracut-pre-trigger[646]: modprobe: FATAL: Module sha1 not found." after selecting DISA STIG RHEL7 security profile. Boot does not continue because FIPS verification fails.
Any ideas or comments about the problem?
Hi,
I can try and figure out the issue, but I need more information:
-Frank
On Wed, Jul 18, 2018 at 3:10 AM Ya.Ko notifications@github.com wrote:
I am installing CentOS 7 and encountered the same error message during boot just after the installation, i.e. "dracut-pre-trigger[646]: modprobe: FATAL: Module sha1 not found." after selecting DISA STIG RHEL7 security profile. Boot does not continue because FIPS verification fails.
Any ideas or comments about the problem?
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/RedHatGov/ssg-el7-kickstart/issues/43#issuecomment-405832437, or mute the thread https://github.com/notifications/unsubscribe-auth/AF0NgyfX0jIwqYHM33TEeIYjWcrUpDtFks5uHt9KgaJpZM4NHeQN .
Thanks for the reply.
Version is CentOS 1804 and FIPS is enabled by selecting the DISA STIG RHEL7 profile. Otherwise I have not specifically enabled it.
By the way, we experienced it also on another freshly installed server but it happened after an OS update. This time it says "dracut: FATAL: FIPS integrity test failed".
I'll try to test this out this weekend.
It turned out that UUID of the boot partition was not specified in the in the GRUB_CMDLINE_LINUX key in /etc/default/grub file. After adding it manually and rebuilding the grub.conf, the problem has been resolved.
However, I have selected the DISA STIG RHEL7 profile during installation and UUID should have been already added to the boot loader configuration to enable FIPS as described in the following documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations
Somehow the selected profile only adds the fips=1 parameter but not UUID of the boot partition which causes the problem after an update or so.
If you pass fips=1 on the installer CMD line, everything works as expected
Hi, Applying the SSG hardening scripts over an Red Hat 7.3 image left me with an error at the booting sequence:
Any recommandations to fix these ones? Regards, Constantin