FIPS support for agent

3 votes

We use a standardized security profile (OSPP) on our Red Hat servers. This goes hand in hand with the activation of FIPS.
FIPS ensures that only certain encryption algorithms may be used.
Using checkmk as an example (the last time I looked), the rpm also had MD5 in addition to SHA256 encryption. However, as soon as a weak encryption is present, the strong one can no longer be trusted. This means that the agent cannot be installed using rpm -i. If you also specify the --nodigest switch, it works.
However, as soon as the updater attempts an update, the additional switch is not used and you end up with an uninstalled agent (the old one has been removed, the new one cannot be installed).
If you use --nodigest, you violate the FIPS regulations and no longer meet the standard. In this respect, a workaround would be desirable.
(Comment from Matthias)

Released Version 2.4 Suggested by: Matthew Hierholzer Upvoted: 24 Aug, '24 Comments: 5

Comments: 5
OldestNewestMost likesFewest likes