Agent install on RHEL 9 FIPS enabled work around

One of our clients needs FIPS enabled on their linux server. Checkmk agent won’t install on this without --nodigest --nofiledigest rpm options. Updater therefore presents same issue. Anybody know if one can hardcode the no digest options in the updater install script?

I think it would be a good feature (for the probable future instances of this) if the agent updater rule in WATO had this option built in.

Same problem here. Were you able to find a solution?

My colleague @bluetomb recently wrote a knowledge-base article on FIPS-enabling. https://checkmk.atlassian.net/wiki/spaces/KB/pages/9472176/How-to+enable+FIPS+mode+RHEL

However, whether it covers the Updater, I am not sure (didn’t completely read it, much less understand it :wink: )

If it does, good for you.
If it doesn’t, good for Matt, as he can maybe do some investigating how to get that to work and possibly add it to the article :smiley:

The article also says to set --nofiledigest this works when installing manually but you can’t set this when automatically installing because you can’t edit the rpm installing command.

Edit: The article also states that it would work if the package is signed with sha256. Unfortunately checkmk only signs it with md5.

1 Like

Hello,

While there is currently no workaround for the issue, we recognize the increasing significance of FIPS. As a result, we are actively exploring its integration into our product roadmap.

2 Likes

Hello,

u can try this:

Make a copy of the update scripts.

omd su [sitename]
cp ~/share/check_mk/agents/plugins/cmk_update_agent.py ~/local/share/check_mk/agents/plugins

open the script:

vi ~/local/share/check_mk/agents/plugins/cmk_update_agent.py

search for “def _install_agent_linux_rpm”

and change this line

self._invoke_unix_pkg_manager(["rpm", "-vU", "--oldpackage", "--replacepkgs", filename])

to

self._invoke_unix_pkg_manager(["rpm", "-vU", "--oldpackage", "--replacepkgs", "--nodigest", "--nofiledigest", filename])

delete the old agents in this directory:

~/var/check_mk/agents/linux_rpm

Now u can bake new agents over WATO.

But this isnt something i prefer. There must be a better solution.

hi @becmat,

have you tried this change yourself? I rebaked my agents after making the changes you suggested and re-deployed the updater agent, but there was no change to the command-line arguments the updater uses while trying to update the agent.

I don’t know enough about how checkmk builds these agent packages for me to say why this isn’t working and am hoping someone around here could shed some light on this.