One of our clients needs FIPS enabled on their linux server. Checkmk agent won’t install on this without --nodigest --nofiledigest rpm options. Updater therefore presents same issue. Anybody know if one can hardcode the no digest options in the updater install script?
I think it would be a good feature (for the probable future instances of this) if the agent updater rule in WATO had this option built in.
However, whether it covers the Updater, I am not sure (didn’t completely read it, much less understand it )
If it does, good for you.
If it doesn’t, good for Matt, as he can maybe do some investigating how to get that to work and possibly add it to the article
The article also says to set --nofiledigest this works when installing manually but you can’t set this when automatically installing because you can’t edit the rpm installing command.
Edit: The article also states that it would work if the package is signed with sha256. Unfortunately checkmk only signs it with md5.
While there is currently no workaround for the issue, we recognize the increasing significance of FIPS. As a result, we are actively exploring its integration into our product roadmap.
have you tried this change yourself? I rebaked my agents after making the changes you suggested and re-deployed the updater agent, but there was no change to the command-line arguments the updater uses while trying to update the agent.
I don’t know enough about how checkmk builds these agent packages for me to say why this isn’t working and am hoping someone around here could shed some light on this.
At this early stage of the project, we’re unable to provide a reliable timeline for achieving full FIPS support. Our initial focus is on assessing our current gaps and identifying areas requiring attention.
With the upcoming release of Checkmk 2.4.0, we aim to make significant strides towards full FIPS support. However, it’s possible that one additional version may be necessary to complete this task. Nonetheless, our goal is to furnish information on the current FIPS compliance status for each Checkmk installation.
Thanx for your reply @bluetomb for now we are working with a workaround in your anisble code like something below. Where we pure check the FIPS mode and based on that we implement your --nodigest --nofiledigest workaround.
But if the signing is different this would be absolete code.
@mouwerkerk maybe you want to create a PR against the collection, so we can incorporate this (even if just for the time it works)? That way, everyone can profit and help improve it.