SCCM Client for LINUX on FIPS Enabled Systems

  • Article

Many organizations in the Public Sector as well as businesses that interact with Public Sector entities are required to adhere to the U.S. Government Federal Information Processing Standard (FIPS) Publication 140 for cryptographic systems and modules.  See https://www.microsoft.com/en-us/TrustCenter/Compliance/FIPS

The compliance applies to hardware, firmware and software that use cryptographic-based security systems.  Operating systems protect and store cryptographic data as well as execute software modules that enable the cryptographic algorithms.

Operating systems can be FIPS capable or can be in FIPS enforcement mode.  During FIPS enforcement mode, the operating systems will only allow the validated algorithms to operate.

While most operating systems have achieved FIPS compliance capability, it has seen limited deployment, often due to the limits of the applications installed on the operating systems.  As the threat landscape continues to evolve, organizations are now increasing their security posture, upgrading applications and enabling features like strict FIPS compliance.

For System Center Configuration Manager client for LINUX, FIPS posed some complex issues.  The client was not initially designed to support the specifically enforced algorithms FIPS requires.  To successfully install the client and make it run, the process involved pre-creating or changing the symbolic links to the required openssl supported modules.

On Friday (Aug 29, 2017), Microsoft released version 5.0.7958.2432 of the Config Mgr Clients for Linux.  The download can be found at the Microsoft System Center Configuration Manager - Clients for Additional Operating Systems  https://www.microsoft.com/en-us/download/details.aspx?id=47719

The ".2432"? release implements the appropriate symbolic links and configuration to support a FIPS enabled system.

OLDER CLIENTS

Here is an example of an install on a FIPS compliant CentOS 7.4 system (in strict enforcement mode).  In this example, to confirm that FIPS is enabled, run the command:

 cat /proc/sys/crypto/fips_enabled

The returned output for a system in FIPS enforcement mode would be "1"?

Attempting to install an OLDER SCCM client to the system would look similar to this:

 Checking Prerequisites...
Checking existence of /lib64/libssl.so.1.0.1e-fips and /lib64/libcrypto.so.1.0.1e-fips ...
Checking existence of /lib64/libssl.so.1.0.1- and /lib64/libcrypto.so.1.0.1- ...
Checking existence of /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...
  Found /lib64/libssl.so.1.0.1e and /lib64/libcrypto.so.1.0.1e ...
Running preinstall validator
fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
./install: line 422:  3071 Aborted                 (core dumped) $TMPWRKDIR/$TMPBINDIR/preinstallvalidator
Pre-Install validator failed. Please check the version of OpenSSL with CM installation requirements.

 

NEWER 5.0.7958.2432 ? CLIENT

Executing an installation of the newest client on the same system will be successful with an example output below:

 Checking Prerequisites...
ccmexecd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig ccmexecd off
Generating a 2048 bit RSA private key
..........+++
...........+++
writing new private key to '/etc/opt/microsoft/cm/omi/ssl/omikey.pem'
-----
Initializing data store.  This may take a few minutes...
Configuring CCMExec service(ccmexecd.service) ...
Created symlink from /etc/systemd/system/multi-user.target.wants/ccmexecd.service to /usr/lib/systemd/system/ccmexecd.service.
Starting Configuration Manager...