Thanks Shawn! I think enough noise on the list has been made so others don’t get caught in the same issue as I and others did. I should add that the issue was recoverable. Apple Support Engineers did call me personally earlier today and they wanted to confirm the issue was resolved and that it was from FIPS. They actually did not tell me that that behavior was documented though, and I did not know until you posted it, I figured out it was due to FIPS from the Apple user forum first. The fact that it will render the system non-bootable if not constantly touched after each update is not something many people would expect from something that just FIPS hardens, which is what I wrongly guessed about the utility. I thought the issue might have been due to corrections on the CDSA debug log password mistake correction not being compatible with what the FIPS CDSA alterations. The note in the PDF though describes it better and I do now regret posting about the issue to the list, but at the time I wasn’t even sure if was from the FIPS installer and was grasping for straws. Anyway, people should be warned now and not unintentionally render a system with DoS... it is not fun. -Ridley From: Shawn Geddis [mailto:email@hidden] Sent: Friday, May 11, 2012 6:13 PM To: Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] Cc: email@hidden Subject: Re: [Fed-Talk] FIPS 140-2 Administration Tools Package Available You make a very valid point and I’ll take full responsibility for the lack of that highlight note in the KBase! /* Please accept the following explanation for technical clarity with no other intent */ I, just like all other Apple employees, want things to “just work”. This is a situation where that was not possible for multiple reasons and the “Crypto Officer” (system administrator), unfortunately, does indeed need to read. I will work to get more of a warning included in the KBase, but please understand it does not negate the need to perform the steps mentioned and documented. I also fear that updating the KBase will fail to reach possibly many others that pass around the installer without providing the same warning. The "Note:” section is within the PDF document and is not in the KBase article - just as you correctly stated. This is what I mentioned earlier about working on to get updated. I highlighted this part of your message below in green.
/* Please accept the above explanation for technical clarity with no other intent */ On May 11, 2012, at 5:51 PM, Disiena, Ridley J. (GRC-VO00)[DB Consulting Group, Inc.] wrote: I read it again and the KB article has almost the same instructions but something is missing. I added the place where your Apple folks forgot to add the, well from my experience with the issue, a very important note. I also marked it in red for you and your engineers since it is not there to read. How to install the FIPS Administration Tools How to install the FIPS Administration Tools
Once the Crypto Officer has obtained the FIPS Administration Tools installer, login to the target computer system where the tools will be installed with an administrator account.
Note: After any OS X Lion System and/or Security update, the Crypto Officer must either 1) run the FIPS Administration installer again or 2) run the FIPSPerformSelfTest create command. This step is necessary to update the Error Detection Code (EDC) for the integrity validation of the PRNG during the Power On Self Test.
- Shawn ________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Division |