On May 10, 2012, at 10:41 AM, Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] wrote:
Seeing issues with the latest 10.7.4 update and from this thread it appears others with FIPS enabled have also had the same problem. Anyone else on this list seeing this on FIPS enabled machines - failure at logon, safe mode does not boot? I figure this community would be most effected if this is case due to most FIPS use. If anyone can confirm this and the fix, please give us a heads up. I'll file a bug report.
Ridley et. al.,
It would appear that some folks attempting to be compliant with FIPS 140-2 regulations did not catch the specific note in the documentation...
Within the corresponding document “FIPS Administration Tools, Crypto Officer Role Guide v1.1” on page 3 of the PDF and the very first page of content it reads (I have highlighted here in Red):
How to install the FIPS Administration Tools
Once the Crypto Officer has obtained the FIPS Administration Tools installer, login to the target
computer system where the tools will be installed with an administrator account.
After any OS X Lion System and/or Security update, the Crypto Officer must either 1) run the
FIPS Administration installer again or 2) run the FIPSPerformSelfTest create command. This step is necessary to update the Error Detection Code (EDC) for the integrity validation of the PRNG
during the Power On Self Test.
You can also, prior to performing the OS/Sec Update, move aside the control file for the FIPS LaunchDaemon prior to the update. Once the OS/Sec update is applied, move the LaunchDaemon item back. As noted above, the final step could be either #1 or #2 noted above:
#1: Run the FIPS Administration installer again
#2: Run the FIPSPerformSelfTest create command
There is no need for folks to delete the /usr/sbin/fips directory as is commented in the forum.
Will look into seeing if we can add additional warnings on the KBase Article and Role Guide, but even with additional warnings, I will suggest that people read.
- Shawn
________________________________________
Shawn Geddis
Security Consulting Engineer
Apple Enterprise Division
Bryan Walls
256-544-3311