Modprobe FIPS Issues

[agit05]

Hi, Applying the SSG hardening scripts over an Red Hat 7.3 image left me with an error at the booting sequence:

• dracut-pre-trigger: modprobe: ERROR: could not insert 'camellia_aensi_avx2': No such device
• dracut-pre-trigger: modprobe: ERROR: could not insert 'serpent_avx2': No such device
• dracut-pre-trigger: modprobe: FATAL: Module sha1 not found.

Any recommandations to fix these ones? Regards, Constantin

[agit05]

Some of the answers can be found here: https://access.redhat.com/solutions/2853221

Still, I am more woried about the sha1 message.

[shawndwells]

If you're applying OpenSCAP/SCAP Security Guide remediations, would recommend pinging that community directly. Your question will likely get much more attention from the content-creation community, as they'll be the ones to patch anything thats causing issues :)

https://github.com/OpenSCAP/scap-security-guide

[fcaviggia]

SHA1 is now depreciated, the recommendation is to move to SHA2 or SHA256 if possible.

https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know

[ykorkmaz]

I am installing CentOS 7 and encountered the same error message during boot just after the installation, i.e. "dracut-pre-trigger[646]: modprobe: FATAL: Module sha1 not found." after selecting DISA STIG RHEL7 security profile. Boot does not continue because FIPS verification fails.

Any ideas or comments about the problem?

[fcaviggia]

Hi,

I can try and figure out the issue, but I need more information:

1. What version of CentOS 1708, 1804?
2. Did you select FIPS 140-2 Mode during installation?

-Frank

On Wed, Jul 18, 2018 at 3:10 AM Ya.Ko notifications@github.com wrote:

I am installing CentOS 7 and encountered the same error message during boot just after the installation, i.e. "dracut-pre-trigger[646]: modprobe: FATAL: Module sha1 not found." after selecting DISA STIG RHEL7 security profile. Boot does not continue because FIPS verification fails.

Any ideas or comments about the problem?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/RedHatGov/ssg-el7-kickstart/issues/43#issuecomment-405832437, or mute the thread https://github.com/notifications/unsubscribe-auth/AF0NgyfX0jIwqYHM33TEeIYjWcrUpDtFks5uHt9KgaJpZM4NHeQN .

[ykorkmaz]

Thanks for the reply.

Version is CentOS 1804 and FIPS is enabled by selecting the DISA STIG RHEL7 profile. Otherwise I have not specifically enabled it.

By the way, we experienced it also on another freshly installed server but it happened after an OS update. This time it says "dracut: FATAL: FIPS integrity test failed".

[fcaviggia]

I'll try to test this out this weekend.

[ykorkmaz]

It turned out that UUID of the boot partition was not specified in the in the GRUB_CMDLINE_LINUX key in /etc/default/grub file. After adding it manually and rebuilding the grub.conf, the problem has been resolved.

However, I have selected the DISA STIG RHEL7 profile during installation and UUID should have been already added to the boot loader configuration to enable FIPS as described in the following documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

Somehow the selected profile only adds the fips=1 parameter but not UUID of the boot partition which causes the problem after an update or so.

[jamescassell]

If you pass fips=1 on the installer CMD line, everything works as expected