From b3a9cb6df612428a7f544d87098bd28e91311b4a Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sat, 14 Jul 2018 18:28:57 +0000
Subject: [PATCH] add new fips junk that just landed in f28 for some reason

---
 roles/rkhunter/templates/rkhunter.conf.j2 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2
index d959888f2e..baa57f24ee 100644
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@@ -326,6 +326,14 @@ ALLOWHIDDENFILE=/usr/bin/.ssh-keyscan.hmac
 ALLOWHIDDENFILE=/usr/bin/.ssh-keygen.hmac
 ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
 ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
+{% if ansible_distribution_version|int > 27 %}
+# In Fedora 28+ there's a new package for dracut that does the FIPs stuff
+ALLOWHIDDENFILE=/usr/bin/.sha1hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha224hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha256hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha384hmac.hmac
+ALLOWHIDDENFILE=/usr/bin/.sha512hmac.hmac
+{% endif %}
 ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac
 ALLOWHIDDENFILE=/usr/share/man/man5/.k5login.5.gz
 ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz