Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DISA STIG RHEL-07: modprobe: FATAL: Module sha1 not found and FIPS integrity test failed #3136

Closed
ykorkmaz opened this issue Jul 18, 2018 · 3 comments
Closed

DISA STIG RHEL-07: modprobe: FATAL: Module sha1 not found and FIPS integrity test failed #3136

ykorkmaz opened this issue Jul 18, 2018 · 3 comments
Labels
Bash Bash remediation update.
Milestone
Backlog

Comments

@ykorkmaz
Copy link

Description of problem:

After the CENTOS 7 installation on a physical server where DISA STIG profile is selected, I got the following error message and can not boot into OS: "dracut-pre-trigger[646]: modprobe: FATAL: Module sha1 not found" and "FIPS integrity test failed".
Actually, I repeated the installation already a couple of times and got the same error message and think it is because of the security profile selected which is DISA STIG RHEL7.

SCAP Security Guide Version:

Built-in CentOS

Operating System Version:

CentOS 7

Steps to Reproduce:

  1. Start OS installation on a server with UEFI boot
  2. Select DISA STIG RHEL7 profile
  3. Reboot the server

Actual Results:

FIPS verification failed

Expected Results:

FIPS verification successful

Addition Information/Debugging Steps:
@ykorkmaz
Copy link
Author

It turned out that UUID of the boot partition was not specified in the in the GRUB_CMDLINE_LINUX key in /etc/default/grub file. After adding it manually and rebuilding the grub.conf, the problem has been resolved.

However, I have selected the DISA STIG RHEL7 profile during installation and UUID should have been already added to the boot loader configuration to enable FIPS as described in the following documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

Somehow the selected profile only adds the fips=1 parameter but not UUID of the boot partition which causes the problem after an update or so.

@redhatrises redhatrises modified the milestone: Backlog Oct 1, 2018
@matejak
Copy link
Member

matejak commented Mar 14, 2019
edited
Loading

For reference, we have a related BZ issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1672737

The remediation seems to add the UUID, check out linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh, could @ykorkmaz please recheck whether it is still valid?

@matejak matejak added the Bash Bash remediation update. label Mar 14, 2019
@matejak matejak mentioned this issue Mar 21, 2019
Closed
@yuumasato yuumasato mentioned this issue Apr 23, 2019
Closed
@evgenyz evgenyz removed the backlog label Jul 15, 2021
@Mab879
Copy link
Member

Mab879 commented Jul 1, 2024

Thanks for opening this issue.

RHEL 7 has been removed from the project. See #12093 for more details.

I'm closing this issue since RHEL7 has been removed from the project and there are signs that issue might already be fixed.

@Mab879 Mab879 closed this as not planned Won't fix, can't repro, duplicate, stale Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bash Bash remediation update.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@Mab879 @evgenyz @matejak @ykorkmaz @redhatrises