Workarounds for operating in a FIPS environment

There are a fair number of key features which are not FIPS compliant and are not available to use when operating in a FIPS enforced environment:

1. Remote agent install

2. ODBC connections to DBs (MSSQL and Oracle are in my world)

3. PDF reports

Probably more issues, however, the biggest impact to my management of our environment are items 1 and 2.

My workarounds:

1: To install agents:

       Windows: We use the MSI/MST agent install method paired with our patching tool (BigFix) to push the agent.

       Linux: We use a scripted install which pulls from the server triggered by an Ansible playbook

2: Accessing DBs:

      As a general workaround I use PowerShell to query the DBs which creates some extra challenges

          1. Length limits on the "Script Arguments" forces the query into the script if the query is fairly long.

          2. Writing and debugging the script is challenging since the environments (ISE and Orion) are different

          3. SCM with Oracle was a little extra challenging (perhaps due to our security constraints) where the Oracle access is managed by a local user while the script runs on the server using a different domain account

What problems have you run into running in a FIPS environment and what have you done to workaround the challenges?

  • Your use of PowerShell scripts to query a database I imagine would not be FIPS compliant as the encryption algorithms used are likely the same as SAM's ODBC User Experience Monitors, since both presumably rely upon the same ODBC drivers. If you're working around FIPS limitations with non-FIPS compliant methods, then why run in FIPS mode? 

  • The scripts run locally on the remote system and do not utilize any explicit encryption.