Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Tip

This article is no longer relevant due to the release of Checkmk version 2.3.0p15. For more information, please refer to Werk 17093.



Warning

Proceed with caution, as Checkmk does not currently support FIPS configurations.

This article is a workaround only!

Status
colourGreen
titleLAST TESTED ON CHECKMK 2.2.0P1


...

  1. Verify if FIPS is already enabled on the system

    Code Block
    languagebash
    themeRDark
    $ fips-mode-setup --check
    FIPS mode is enabled.


    If FIPS is not enabled, you will need to enable it using Red Hat's official methods.


    .

  2. The application works with FIPS mode fine, as the following screens show. The problem is that it doesn't install with the MD5-signed RPM.


    Tip

    GNU Privacy Guard (GPG) signatures are digital signatures that verify the authenticity of data or communication. 

    To find out which signature a file has, you can use the command below:

    Code Block
    languagebash
    themeRDark
    [LinuxUser~]$ rpm -qp --qf "%{filedigestalgo}\n" check-mk-agent-2.3.0p4-93d660e1b182fc28.noarch.rpm 
    (none)
    
    
    ###a package was downloaded and executed the same command and here its "8" which means SHA-256. 
    [LinuxUser~]$ rpm -qp --qf "%{filedigestalgo}\n" package/openssh-server-8.7p1-38.el9.x86_64.rpm 
    8


    The algorithms are SHA1, SHA256, SHA384, and SHA512, which are represented as 2, 8, 9, and 10 respectively.



    If the RPM is signed by SHA256 or the --nofiledigest option is specified, Checkmk installs fineshould install without fail.

    note
    Code Block
    languagebash
    themeRDark
    [user@redhat8host ~]$ sudo rpm -ivh --nofiledigest check-mk-agent-2.1.0p16-d88c216c6ads3a29.noarch_1.rpm
    
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
    	#1) Respect the privacy of others.
    	#2) Think before you type.
    	#3) With great power comes great responsibility.
    
    [sudo] password for checkmk:
    verifying ...                       #########################################################[100%]
    preparing ...                       #########################################################[100%]
    updating / installing ...
    	l:check-mk-agent-2.1.0p16-3.d88c216######################################################[100%]
    
    
    Deploying systemd units: check-mk-agent-async.service check-mk-agent.socket check-mk-agent@.service cmk-agent-ctl-daemon.service
    Deployed systemd
    Creating/updating cmk-agent user account ..
    
    WARNING: The agent controller is operating in an insecure mode! To secure the connection run `cmk-agent-ctl register'
    
    Activating systemd unit *check-mk-agent-async.service'..
    Created symlink /etc/systemd/system/multi-user.target.wants/check-mk-agent-async.service - /usr/lib/systemd/system/check-mk-agent-async.service.
    Activating systemd unit *check-mk-agent.socket"socket”
    Created symlink /etc/systemd/system/sockets.target.wants/check-mk-agent.socket ep etstthe - ustf ttorsys teudr /usr/lib/systemd/system/check-mk sys tem/ check-mk-agent. socket.
    Activating systemd unit *cmk-agent-ctl-daemon.service' ..'
    Created symlink /etc/systemd/system/multi-user,target.wants/cmk-agent-ctl-daemon.service - /usr/lib/systemd/system/cmk-agent-ctl-daemon.service.
    [user@redhat8host ~]$
    Normal baked RPM is signed by MD5

    .

    This needs to be signed by SHA256. The --nofiledigest option will install Checkmk.


  3. While initially, it looks like Checkmk Agent isn't working, please note the "no “no route to host" host” error. We will need to enable a few firewall rules within the OS.

    Initially this will say no route to host, this is normal and we will need to add a firewall rule


  4. Adding Checkmk Agent ports to the firewall.


    Info

    Add "--permanent" permanent” to firewall-cmd to make firewall rules persistent.


    Allow port 6556 for both TCP and UDP

    Code Block
    languagebash
    themeRDark
    [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/tcp
    success  
    
    [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/udp
    success


    Code Block
    languagebash
    themeRDark
    [user@redhat8host ~]$ sudo firewall-cmd --list-all
    public (active)
    target: default
    icmp-block-tnverston: no
    interfaces: ens18
    sources:
    services: cockpit dhcpv6-cllent ssh
    ports:
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    
    [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/tcp
    Success
    
    [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/udp
    success
    
    [user@redhat8host -]$ sudo firewall-cmd --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: ens18
    sources:
    services: cockpit dhcpv6-client ssh
    ports: 6556/tcp 6556/udp
    protocols:
    forward: no
    masquerade: no
    forward-ports:
    source-ports:
    icnp-blocks:
    rich rules:
    [user@redhat8host ~]$



  5. You will then want to rescan the host and accept the changes.

    Click accept all to accept the changes


  6. Now we can see that the Check MK agent and Service Discovery are working.

    Status will change after the firewall rule has been applied


  7. We can now verify that these changes have been applied at the OS level.

    .

  8. First, we will check that the FIPS mode is enabled.

    Code Block
    languagebash
    themeRDark
    [user@redhat8host ~]$ fips-mode-setup --check
    FIPS mode is enabled.
    
    [user@redhat8host ~]$ sestatus
    SELinux status:					enabled
    SELinux mount:					/sys/fs/selinux
    SELinux root directory:			/etc/selinux
    Loaded policy name:				targeted
    Current mode:					enforcing
    Mode fron conflg flle:			enforcing
    Policy MLS status:				enabled
    Policy deny_unknown status: 	allowed
    Memory protectlon checking: 	actual (secure)
    Max kernel policy version!		33
    
    [user@redhat8host ~]$

    .

  9. Next, we will

    .

    1. We will need to verify that port 6556 is open for TCP and UDP

      Code Block
      languagebash
      themeRDark
      [user@redhat8host ~]$ sudo firewall-cmd --list-all
      public (active)
      	target: default
      	icmp-block-inversion: no	
      	interfaces: ens18
      	sources:
      	services: cockpit dhcpv6-client ssh
      	ports: 6556/tcp 6556/udp
      	protocols:
      	forward: no
      	masquerade: no
      	forward-ports:
      	source-ports:
      	icmp-blocks:
      	rich rules:
      
      [user@redhat8host ~]$

      .

    2. Finally, Now we can verify that the checmk-mk-agent is running correctly.

      Code Block
      languagebash
      themeRDark
      [user@redhat8host ~]$ systemctl status check-mk-agent.socket
      	check-mk-agent.socket - Local Checkmk agent socket
      	loaded: loaded (/usr/lib/systemd/system/check-mk-agent.socket; enabled; vendor preset: disabled)
      	Active: active (running)/ since Mon 2022.12-12 20:35:07 EST: 49min ago
      	Listen: /run/check-mk-ayent.socket (stream)
      	Accepted: 36; Connected: 0;
      	Tasks: 0 (limit: 24726)
      	Memory: 4.0K
      	CGroup: /system.slice/check-mk-agent.socket
      
      Dec 12 20:35:07 redhat8host[1]: Starting Local Checkmk agent socket. 
      Dec 12 20:35:07 redhat8host[1]: Listening on Local checkmk agent socket.
      [user@redhat8host ~]$


      Code Block
      languagebash
      themeRDark
      [user@redhat8host ~]$ systemctl status cmk-agent-ctl-daemon.service
      	cmk-agent-ctl-daemon.service - Checkmk agent controller daemon
      	Loaded: loaded (/usr/1ib/systemd/system/cmk-agent.ctl-daemon.service; enabled; vendor preset: disabled)
      	Active: active (listening) since Mon 2022-12-12 20:35:07 EST; 49nin ago
      	Main PID: 4975 (cmk-agent-ctl)
      	Tasks: 3 (limit; 24726)
      	Memory; 10.3M
      	CGroup: /system.slice/cmk-agent-ctl-daemon.service
      	- 4975/usr/bin/cmk-agent-ctl daemon
      
      Dec 12 20:35:07 redhat8host systemd[1]: Started Checkmk agent controller daemon.
      [user@redhat8host ~]$


...