How-to enable FIPS mode (RHEL)

Owned by Matthew Hierholzer
Last updated: Dec 11, 2023
3 min read


This article explains how to enable FIPS mode in RHEL-based systems working with Checkmk.

(FIPS)is the Federal Information Processing Standards. It is a set of standards issued by the National Institute of Technology (NIST) in the United States to ensure the security and interoperability of information technology systems. Federal agencies and contractors use these standards to ensure their information systems are secure and meet certain/specific requirements for handling sensitive information/data.

LAST TESTED ON CHECKMK 2.2.0P1

Table of Contents


Proceed with caution, as Checkmk does not currently support FIPS configurations.

Step-by-step guide

  1. You must add "fips=1" to the boot options within the install GRUB menu for RHEL. Press TAB and then append "fips=1" at the end of the vmlinuz option set.




  2.  After installing the OS with FIPS mode enabled, you can see that it is possible to install Checkmk Agent despite online forums and customer concerns that Checkmk can't work with FIPS mode.

    The application works with FIPS mode fine, as the following screens show. The problem is that it doesn't install with the MD5-signed RPM.

    If the RPM is signed by SHA256 or the --nofiledigest option is specified, Checkmk installs fine.

    [user@redhat8host ~]$ sudo rpm -ivh --nofiledigest check-mk-agent-2.1.0p16-d88c216c6ads3a29.noarch_1.rpm

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

	#1) Respect the privacy of others.
	#2) Think before you type.
	#3) With great power comes great responsibility.

[sudo] password for checkmk:
verifying ...                       #########################################################[100%]
preparing ...                       #########################################################[100%]
updating / installing ...
	l:check-mk-agent-2.1.0p16-3.d88c216######################################################[100%]


Deploying systemd units: check-mk-agent-async.service check-mk-agent.socket check-mk-agent@.service cmk-agent-ctl-daemon.service
Deployed systemd
Creating/updating cmk-agent user account ..

WARNING: The agent controller is operating in an insecure mode! To secure the connection run `cmk-agent-ctl register'

Activating systemd unit *check-mk-agent-async.service'..
Created symlink /etc/systemd/system/multi-user.target.wants/check-mk-agent-async.service - /usr/lib/systemd/system/check-mk-agent-async.service.
Activating systemd unit *check-mk-agent.socket"
Created symlink /etc/systemd/system/sockets.target.wants/check-mk-agent.socket ep etstthe - ustf ttorsys teudr /usr/lib/systemd/system/check-mk sys tem/ check-mk-agent. socket.
Activating systemd unit *cmk-agent-ctl-daemon.service' ..'
Created symlink /etc/systemd/system/multi-user,target.wants/cmk-agent-ctl-daemon.service - /usr/lib/systemd/system/cmk-agent-ctl-daemon.service.
[user@redhat8host ~]$


    Normal baked RPM is signed by MD5. This needs to be signed by SHA256. The --nofiledigest option will install Checkmk.



  3. While initially, it looks like Checkmk Agent isn't working, please note the "no route to host" error. We will need to enable a few firewall rules within the OS.

    Initially this will say no route to host, this is normal and we will need to add a firewall rule


  4. Adding Checkmk Agent ports to the firewall.

    Add "--permanent" to firewall-cmd to make firewall rules persistent.


    Allow port 6556 for both TCP and UDP

    [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/tcp
success  

[user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/udp
success
    [user@redhat8host ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-tnverston: no
interfaces: ens18
sources:
services: cockpit dhcpv6-cllent ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/tcp
Success

[user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/udp
success

[user@redhat8host -]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens18
sources:
services: cockpit dhcpv6-client ssh
ports: 6556/tcp 6556/udp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icnp-blocks:
rich rules:
[user@redhat8host ~]$



  5. You will then want to rescan the host and accept the changes.

    Click accept all to accept the changes


  6. Now we can see that the Check_MK agent and Service Discovery are working.

    Status will change after the firewall rule has been applied


  7. We can now verify that these changes have been applied at the OS level.
    .

    1. First, we will check that the FIPS mode is enabled.

      [user@redhat8host ~]$ fips-mode-setup --check
FIPS mode is enabled.

[user@redhat8host ~]$ sestatus
SELinux status:					enabled
SELinux mount:					/sys/fs/selinux
SELinux root directory:			/etc/selinux
Loaded policy name:				targeted
Current mode:					enforcing
Mode fron conflg flle:			enforcing
Policy MLS status:				enabled
Policy deny_unknown status: 	allowed
Memory protectlon checking: 	actual (secure)
Max kernel policy version!		33

[user@redhat8host ~]$

      .

    2. Next, we will verify that port 6556 is open for TCP and UDP

      [user@redhat8host ~]$ sudo firewall-cmd --list-all
public (active)
	target: default
	icmp-block-inversion: no	
	interfaces: ens18
	sources:
	services: cockpit dhcpv6-client ssh
	ports: 6556/tcp 6556/udp
	protocols:
	forward: no
	masquerade: no
	forward-ports:
	source-ports:
	icmp-blocks:
	rich rules:

[user@redhat8host ~]$

      .

    3. Finally, we can verify that the checmk-mk-agent is running correctly.

      [user@redhat8host ~]$ systemctl status check-mk-agent.socket
	check-mk-agent.socket - Local Checkmk agent socket
	loaded: loaded (/usr/lib/systemd/system/check-mk-agent.socket; enabled; vendor preset: disabled)
	Active: active (running)/ since Mon 2022.12-12 20:35:07 EST: 49min ago
	Listen: /run/check-mk-ayent.socket (stream)
	Accepted: 36; Connected: 0;
	Tasks: 0 (limit: 24726)
	Memory: 4.0K
	CGroup: /system.slice/check-mk-agent.socket

Dec 12 20:35:07 redhat8host[1]: Starting Local Checkmk agent socket. 
Dec 12 20:35:07 redhat8host[1]: Listening on Local checkmk agent socket.
[user@redhat8host ~]$
      [user@redhat8host ~]$ systemctl status cmk-agent-ctl-daemon.service
	cmk-agent-ctl-daemon.service - Checkmk agent controller daemon
	Loaded: loaded (/usr/1ib/systemd/system/cmk-agent.ctl-daemon.service; enabled; vendor preset: disabled)
	Active: active (listening) since Mon 2022-12-12 20:35:07 EST; 49nin ago
	Main PID: 4975 (cmk-agent-ctl)
	Tasks: 3 (limit; 24726)
	Memory; 10.3M
	CGroup: /system.slice/cmk-agent-ctl-daemon.service
	- 4975/usr/bin/cmk-agent-ctl daemon

Dec 12 20:35:07 redhat8host systemd[1]: Started Checkmk agent controller daemon.
[user@redhat8host ~]$