fluentd icon indicating copy to clipboard operation
fluentd copied to clipboard

Published 20 hours ago verified publisher icon fluent

FIPS support in Fluentd

Open javsalgar opened this issue 3 years ago • 10 comments

Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.

Is your feature request related to a problem? Please describe.

I would like to confirm that it is possible to configure Fluentd to only use FIPS-validated cryptography. I saw that starting with 0.14.12 there is support for SSL when forwarding. Would using a FIPS-validated OpenSSL be enough or there are other encryption functions that need to be configured in order to be FIPS-compliant (https://docs.pulsesecure.net/WebHelp/PCS/9.1R4/AG/Content/PCS/PCS_AdminGuide/Supported_Cipher_Suites_When_2.htm)

Describe the solution you'd like

A confirmation on whether using a FIPS-validated OpenSSL is enough.

Describe alternatives you've considered

n/a

javsalgar avatar Sep 03 '20 08:09 javsalgar

What changes are needed in fluentd core? Need to call some OpenSSL APIs"?

repeatedly avatar Sep 04 '20 08:09 repeatedly

@javsalgar I'd love to better understand the use case for FIPS

agup006 avatar Oct 29 '20 04:10 agup006

Hi, any progress on this? couldn't find any other topics discussing this thread

OferPRTZ avatar Jul 04 '21 12:07 OferPRTZ

@javsalgar Please share your findings on this

nandu1508 avatar Dec 27 '21 07:12 nandu1508

@javsalgar I'd love to better understand the use case for FIPS

Most governments require FIPS-validation. It's an absolute requirement by the US government.

seanorama avatar May 10 '22 16:05 seanorama

+1

sfc-gh-stopchiy avatar Jan 16 '24 21:01 sfc-gh-stopchiy

+1

gauravphagrehpe avatar Feb 16 '24 05:02 gauravphagrehpe

To support OpenSSL FIPS on Fluentd, users must install openssl library with FIPS support. This module sometimes isn't provided for non-commercial distribution such as Ubuntu. Ubuntu does not support FIPS on non-Pro clients: https://ubuntu.com/security/certifications/docs/fips

So, users ought to compile it with fips support by themselves if users don't use commercial distributions.

I found the some hints to enable FIPS mode:

  • https://hackmd.io/@jaruga/ryDnksRm2
  • https://www.openssl.org/docs/manmaster/man7/fips_module.html

If the FIPS enabled libraries are installed, users must enable FIPS module as follows:

config_diagnostics = 1
openssl_conf = openssl_init

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes

The current status of FIPS support on ruby/openssl is here: https://github.com/ruby/openssl/issues/603

Any thoughts, @ashie @kenhys @daipom?

cosmo0920 avatar Feb 16 '24 05:02 cosmo0920

According to https://github.com/ruby/openssl/issues/603 and https://github.com/ruby/openssl/releases/tag/v3.2.0, all of FIPS support effort is not fully merged in v3.2.0, so need to wait newer ruby/openssl release. (e.g. https://github.com/ruby/openssl/pull/694 was fixed after v3.2.0)

As it depends on user environment, so it seems that there is few space to deal in Fluentd side, isn't it?

If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)

kenhys avatar Feb 28 '24 01:02 kenhys

If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)

Yup. It's reasonable. We're only able to switch on/off or to detect whether FIPS is enabled or not. Under this circumstance, we're able to provide switch on/off for FIPS module with a certain parameter and decline to launch Fluentd with OpenSSL.fips_mode.

cosmo0920 avatar Feb 28 '24 03:02 cosmo0920