Project

General

Profile

Actions

Bug #7255

open

Cannot run suricata-update on a FIPS compliant server

Added by Jeremy Simkins 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Due to using md5, you cannot run `suricata-update` on a FIPS enabled server.

I saw this ticket about this: https://redmine.openinfosecfoundation.org/issues/4479

But that is for CentOS and I am having this isssue on RHEL 8/9 and Ubuntu.

That ticket is from 3 years ago.

The potential workaround does not work.

I attempted to use my own hack as we cannot use md5, so I replaced it with sha256.

```
sudo sed -i 's/hashlib.md5/hashlib.sha256/' /usr/lib/suricata/python/suricata/update/main.py
```

This seems to work for me but I am unsure if this causes other issues.

I also had to add trust for fapolicyd:

```
sudo fapolicyd-cli --file add /usr/bin/suricata --trust-file suricata
sudo fapolicyd-cli --file add /usr/libexec/suricata --trust-file suricata
sudo fapolicyd-cli --file add /var/log/suricata --trust-file suricata
sudo systemctl restart fapolicyd
```

And fix the log permissions:

```
sudo chown -R suricata:suricata /var/log/suricata
```

Now `sudo suricata-update` works as expected.

These were the other updates I made to the system:

```
NIC=$(ip route show default | awk '/default/ {print $5}')
sudo sed i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
sudo sed -i "s/interface: .*/interface: $NIC/" /etc/suricata/suricata.yaml
sudo sed -i 's/#force-hash: .*/force-hash: [sha256]/' /etc/suricata/suricata.yaml
echo -e "\ndetect-engine:\n
rule-reload: true" | sudo tee -a /etc/suricata/suricata.yaml
```

Actions #1

Updated by Jeremy Simkins 3 months ago

Due to using md5, you cannot run `suricata-update` on a FIPS enabled server.

I saw this ticket about this: https://redmine.openinfosecfoundation.org/issues/4479

But that is for CentOS and I am having this isssue on RHEL 8/9 and Ubuntu.

That ticket is from 3 years ago.

The potential workaround does not work.

I attempted to use my own hack as we cannot use md5, so I replaced it with sha256.


sudo sed -i 's/hashlib.md5/hashlib.sha256/' /usr/lib/suricata/python/suricata/update/main.py

This seems to work for me but I am unsure if this causes other issues.

I also had to add trust for fapolicyd:


sudo fapolicyd-cli --file add /usr/bin/suricata --trust-file suricata
sudo fapolicyd-cli --file add /usr/libexec/suricata --trust-file suricata
sudo fapolicyd-cli --file add /var/log/suricata --trust-file suricata
sudo systemctl restart fapolicyd

And fix the log permissions:


sudo chown -R suricata:suricata /var/log/suricata

Now `sudo suricata-update` works as expected.

These were the other updates I made to the system:


NIC=$(ip route show default | awk '/default/ {print $5}')
sudo sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
sudo sed -i "s/interface: .*/interface: $NIC/" /etc/suricata/suricata.yaml
sudo sed -i 's/#force-hash: .*/force-hash: [sha256]/' /etc/suricata/suricata.yaml
echo -e "\ndetect-engine:\n- rule-reload: true" | sudo tee -a /etc/suricata/suricata.yaml
Actions

Also available in: Atom PDF