Skip to content

Commit

Permalink
docs: update FIPS docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@pstorz
pstorz committed Jul 29, 2022
1 parent 8abc63c commit 94bc93e
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions docs/manuals/source/TasksAndConcepts/BareosSecurityIssues.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,12 +99,9 @@ Our tests with the :command:`sdelete` command was not successful, as :command:`s
FIPS Mode
---------

The acronym :strong:`FIPS` stands for **Federal Information Processing Standards**.

To be able to run Bareos in `FIPS` mode some adjustment need to be made.

To our knowledge only `Enterprise grade` qualified distribution can be used for the certification
but those rules should apply also to derivative like CentOS or openSUSE.
The acronym :strong:`FIPS` stands for **Federal Information Processing Standards** and defines among others, security requirements for cryptography modules.
Some `Enterprise grade` distributions like RHEL or SLES can be run in FIPS mode, which then enforces the standards defined by `FIPS`.
To run Bareos on an OS that is running in `FIPS` mode, some adjustment need to be made so that Bareos only uses algorithms and protocols that are available in the `FIPS`` mode.


RedHat RHEL 8
Expand Down Expand Up @@ -273,16 +270,19 @@ to enable it refer to OS documentation (mostly adding fips=1 on boot line)
---
read R BLOCK
:strong:`beware of the fileset *Signature* option` all MD5 related function are disabled in `FIPS` mode.
Fileset Signature Algorithm
^^^^^^^^^^^^^^^^^^^^^^^^^^^

if you see errors log like:
The default signature algorithm to verify the integrity of the files is `MD5`.
As all MD5 related function are disabled in `FIPS` mode, Bareos emits errors
like the following when trying to calculate MD5 siguatures on a FIPS system:

.. code-block::
Warning: MD5 digest digest initialization failed
Error: OpenSSL digest initialization failed: ERR=error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
You will have to change the **Signature** option in you fileset to something stronger than MD5 or SHA1, for example **SHA256**:
To solve this problem, the **Signature** option in your fileset to be changed to something stronger than MD5 or SHA1, for example **SHA256**:

.. code-block:: bareosconfig
Expand All @@ -294,3 +294,4 @@ You will have to change the **Signature** option in you fileset to something str
Signature = "SHA256"
...
With these adaptions, Bareos can be run on a FIPS enabled Operating System.

0 comments on commit 94bc93e

Please sign in to comment.