Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: File Integrity Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Severity:
Important

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Description of problem:

md5 algorithm is not fips-compliant algorithm. File-integrity-operator should report NOT report Succeeded on FIPS enabled cluster when using md5 algorithm in the aide config

Version-Release number of selected component (if applicable):

file-integrity-operator.v1.3.6

How reproducible:
1. Create comfigmap

Steps to Reproduce:
1. Create a configmap
$ oc create configmap myconf --from-file=aide-config=md5aide.conf.rhel8
$ cat md5aide.conf.rhel8

Example configuration file for AIDE.

@@define DBDIR /hostroot/etc/kubernetes
@@define LOGDIR /hostroot/etc/kubernetes
database=file:@@\{DBDIR}/aide.db.gz
database_out=file:@@\{DBDIR}/aide.db.gz.newgzip_dbout=yes
verbose=5

report_url=file:@@\{LOGDIR}/aide.log.newreport_url=stdout
PERMS = p+u+g+acl+selinux+xattrs
CONTENT_EX = md5+sha512+ftype+p+u+g+n+acl+selinux+xattrs

/hostroot/boot/ CONTENT_EX
/hostroot/root/\..* PERMS
/hostroot/root/ CONTENT_EX
!/hostroot/root/\.kube
!/hostroot/usr/src/
!/hostroot/usr/tmp/

/hostroot/usr/ CONTENT_EX
OpenShift specific excludes
!/hostroot/opt/
Unable to render embedded object: File (/hostroot/var) not found./hostroot/etc/NetworkManager/system-connections/
!/hostroot/etc/mtab$
!/hostroot/etc/.*~
!/hostroot/etc/kubernetes/static-pod-resources
!/hostroot/etc/kubernetes/aide.*
!/hostroot/etc/kubernetes/manifests
!/hostroot/etc/kubernetes/kubelet-ca.crt
!/hostroot/etc/docker/certs.d
!/hostroot/etc/selinux/targeted
!/hostroot/etc/openvswitch/conf.db
!/hostroot/etc/kubernetes/cni/net.d
!/hostroot/etc/kubernetes/cni/net.d/*
!/hostroot/etc/machine-config-daemon/currentconfig$
!/hostroot/etc/machine-config-daemon/node-annotation.json*
!/hostroot/etc/pki/ca-trust/extracted/java/cacerts$
!/hostroot/etc/cvo/updatepayloads
!/hostroot/etc/cni/multus/certs
Unable to render embedded object: File (/hostroot/etc/kubernetes/compliance-operator) not found./hostroot/etc/kubernetes/node-feature-discovery
!/hostroot/etc/mco/internal-registry-pull-secret.json$
Catch everything else in /etc
/hostroot/etc/ CONTENT_EX
2. Create fileintegrity

% oc get fileintegrity example-fileintegrity -o yaml
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"fileintegrity.openshift.io/v1alpha1","kind":"FileIntegrity","metadata":{"annotations":{},"name":"example-fileintegrity","namespace":"openshift-file-integrity"},"spec":{"config":{"gracePeriod":15,"key":"aide-conf","name":"myconf","namespace":"openshift-file-integrity"},"debug":false,"nodeSelector":{"node.openshift.io/os_id":"rhcos"}}}
  creationTimestamp: "2025-05-17T16:35:47Z"
  generation: 2
  name: example-fileintegrity
  namespace: openshift-file-integrity
  resourceVersion: "72934"
  uid: ff8c0d81-5e14-43e3-8502-ef05d7999a4f
spec:
  config:
    gracePeriod: 15
    key: aide-conf
    maxBackups: 5
    name: myconf
    namespace: openshift-file-integrity
  debug: true
  nodeSelector:
    node.openshift.io/os_id: rhcos
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  - effect: NoSchedule
    key: node-role.kubernetes.io/infra
    operator: Exists
status:
  phase: Active
 key: node-role.kubernetes.io/infra
    operator: Exists
status:
  phase: Active

3. Check the status of fileintegritynodestatus

Actual results:
All fileintegritynodestatus showSucceeded

% oc get fileintegritynodestatus
NAME                                                              NODE                                        STATUS
example-fileintegrity-ip-10-0-13-237.us-east-2.compute.internal   ip-10-0-13-237.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-20-245.us-east-2.compute.internal   ip-10-0-20-245.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-33-196.us-east-2.compute.internal   ip-10-0-33-196.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-43-224.us-east-2.compute.internal   ip-10-0-43-224.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-69-157.us-east-2.compute.internal   ip-10-0-69-157.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-86-33.us-east-2.compute.internal    ip-10-0-86-33.us-east-2.compute.internal    Succeeded
% oc logs pod/aide-example-fileintegrity-85ml4 
Defaulted container "daemon" out of: daemon, check-folder (init)
2025-05-17T16:37:36Z: Starting the AIDE runner daemon
W0517 16:37:36.397326       1 client_config.go:659] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2025-05-17T16:37:36Z: debug: Getting FileIntegrity openshift-file-integrity/example-fileintegrity
2025-05-17T16:37:36Z: debug: Still waiting for file integrity instance initialization
2025-05-17T16:37:36Z: debug: aide files locked by aideLoop
2025-05-17T16:37:36Z: running aide check
2025-05-17T16:38:10Z: aide check returned status 0
2025-05-17T16:38:10Z: debug: copying /hostroot/etc/kubernetes/aide.log.new to /hostroot/etc/kubernetes/aide.log
2025-05-17T16:38:10Z: debug: aide files unlocked by aideLoop
2025-05-17T16:38:10Z: debug: creating temporary configMap 'aide-example-fileintegrity-ip-10-0-33-196.us-east-2.compute.internal' to report a successful scan result
2025-05-17T16:38:25Z: debug: aide files locked by aideLoop
2025-05-17T16:38:25Z: running aide check
xiyuan@xiyuan-mac release % oc logs pod/aide-example-fileintegrity-85ml4 
Defaulted container "daemon" out of: daemon, check-folder (init)
2025-05-17T16:37:36Z: Starting the AIDE runner daemon
W0517 16:37:36.397326       1 client_config.go:659] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2025-05-17T16:37:36Z: debug: Getting FileIntegrity openshift-file-integrity/example-fileintegrity
2025-05-17T16:37:36Z: debug: Still waiting for file integrity instance initialization
2025-05-17T16:37:36Z: debug: aide files locked by aideLoop
2025-05-17T16:37:36Z: running aide check
2025-05-17T16:38:10Z: aide check returned status 0
2025-05-17T16:38:10Z: debug: copying /hostroot/etc/kubernetes/aide.log.new to /hostroot/etc/kubernetes/aide.log
2025-05-17T16:38:10Z: debug: aide files unlocked by aideLoop
2025-05-17T16:38:10Z: debug: creating temporary configMap 'aide-example-fileintegrity-ip-10-0-33-196.us-east-2.compute.internal' to report a successful scan result
2025-05-17T16:38:25Z: debug: aide files locked by aideLoop
2025-05-17T16:38:25Z: running aide check
2025-05-17T16:38:59Z: aide check returned status 0
2025-05-17T16:38:59Z: debug: copying /hostroot/etc/kubernetes/aide.log.new to /hostroot/etc/kubernetes/aide.log
2025-05-17T16:38:59Z: debug: aide files unlocked by aideLoop
2025-05-17T16:38:59Z: debug: creating temporary configMap 'aide-example-fileintegrity-ip-10-0-33-196.us-east-2.compute.internal' to report a successful scan result

Expected results:

The fileintegritynodestatus should show ERRORED as disallowed algorithm is being used.

Additional info:

links to

openshift/file-integrity-operator#660: OCPBUGS-56409: Fix FIPS for aide container

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide