FIPS for ingest tools #2136
FIPS for ingest tools #2136
Conversation
There was a problem hiding this comment.
Thanks @karenzone for the initial architecture; the split into product categories looks good to me.
Left some initial comments, but I will need to spend more time on finding some more user friendly wording for the removed/changed functionality.
As a general guideline, I would suggest we list the removed functionality as limititation, but do not list configuration options that themselves are just not FIPS compliant. We can do an overall callout on these but would keep this separated from functional limitations. I'll provide more thorough suggestions for this.
|
|
||
| FIPS mode binaries are available for {{agent}}, {{fleet}}, {{filebeat}}, {{metricbeat}}, {{agentbeat}}, and {{apm-server}}. | ||
|
|
||
| The requirements and scope for the listed beats, Elastic Agent, Fleet Server and APM Server are based on FIPS 140 compliance for Elastic Go applications and can be summarized as: |
There was a problem hiding this comment.
| The requirements and scope for the listed beats, Elastic Agent, Fleet Server and APM Server are based on FIPS 140 compliance for Elastic Go applications and can be summarized as: | |
| Compliance with FIPS 140-2 requires using only FIPS approved / NIST recommended cryptographic algorithms. For the listed beats, Elastic Agent, Fleet Server and APM Server this can be summarized as: |
|
|
||
| The requirements and scope for the listed beats, Elastic Agent, Fleet Server and APM Server are based on FIPS 140 compliance for Elastic Go applications and can be summarized as: | ||
|
|
||
| Linking against a FIPS certified cryptographic library at compile time |
There was a problem hiding this comment.
| Linking against a FIPS certified cryptographic library at compile time | |
| - Linking against a FIPS certified cryptographic library |
| The requirements and scope for the listed beats, Elastic Agent, Fleet Server and APM Server are based on FIPS 140 compliance for Elastic Go applications and can be summarized as: | ||
|
|
||
| Linking against a FIPS certified cryptographic library at compile time | ||
| Only using FIPS approved cryptographic functions at runtime |
There was a problem hiding this comment.
| Only using FIPS approved cryptographic functions at runtime | |
| - Only using FIPS approved cryptographic functions |
|
|
||
|
|
||
|
|
||
| ### APM Server [fips-apm-server] |
There was a problem hiding this comment.
Remove this as there is nothing APM Server specific listed?
| - Only fips compliant TLS options are accepted | ||
| - TLSv1.2 is the minimum supported version and validation fails otherwise | ||
| - Only compliant ciphers are allowed | ||
| - Only compliant curve types are allowed |
There was a problem hiding this comment.
Remove these
- TLSv1.2 is the minimum supported version and validation fails otherwise
- Only compliant ciphers are allowed
- Only compliant curve types are allowed
| - Only compliant curve types are allowed | ||
| - TranslateLDAPAttribute Processor is disabled | ||
| - For Kafka output, SCRAM SASL is disabled as it was using a custom pbkdf2 functionality | ||
| - Non compliant crypto in fingerprint processor is disabled: md5 and sha1 disabled |
There was a problem hiding this comment.
| - Non compliant crypto in fingerprint processor is disabled: md5 and sha1 disabled |
| github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata | ||
| github.com/elastic/beats/v7/x-pack/filebeat/input/azureeventhub | ||
|
|
||
| We need to let our users know that they need to deploy their agent/beats in a fips environment if they were to use service providers like gcp/azure/mongo in order to be compliant. |
There was a problem hiding this comment.
This section needs to be rephrased, I'll set some time aside to make suggestions.
|
|
||
| We need to let our users know that they need to deploy their agent/beats in a fips environment if they were to use service providers like gcp/azure/mongo in order to be compliant. | ||
|
|
||
| More detailed discussion on this issue can be found here elastic/ingest-dev#5039 |
There was a problem hiding this comment.
| More detailed discussion on this issue can be found here elastic/ingest-dev#5039 |
|
@karenzone as discussed, here a more detailed proposal for describing the Limitations (to replace how the limitations are currently listed): LimitationsTLSOnly FIPS 140-2 compliant TLS protocols, ciphers and curve types can be used.
Support for encrypted private keys is not available, as the cryptographic modules used for decrypting password protected keys are not FIPS validated. If an output or any other component with an SSL key that is password protected is configured, the components will fail to load the key. When running in FIPS mode, non-encrypted keys must be provided. These TLS related restrictions apply to all components listed. General Output & Input LimitationsThe Kerberos protocol is not supported for any output or input, which also impacts the available This impacts Filebeat, Metricbeat and APM server, as well as output configurations for Elastic Agent with Fleet Server. APM Server
Filebeat
Metricbeat
Elastic Agent & Fleet ServerWhen using Elastic Agent and Fleet Server, the same restrictions as listed above for metricbeat and filebeat modules, inputs and processors apply to the respective Integrations.
|
Co-authored by: Silvia Mitter <silvia.mitter@elastic.co>
| - id: elastic-agent | ||
| - id: fleet | ||
| applies_to: | ||
| stack: ga 9.1 |
There was a problem hiding this comment.
Not sure what these GA labels mean; generally we want to have these docs in place for
8.19.0: functionality is in Tech Preview9.1.0: functionality is in Tech Preview
There was a problem hiding this comment.
Here's how we're handing this for 9.1.0:
We'll handle messaging and content for 8.19.0 in a separate PR. I'll add it to our punch list.
| FIPS mode binaries are available for {{agent}}, {{fleet}}, {{filebeat}}, {{metricbeat}}, and {{apm-server}}. | ||
|
|
||
| Compliance with FIPS 140-2 requires using only FIPS approved/NIST recommended cryptographic algorithms. For {{agent}}, Fleet Server, the listed {{Beats}}, and APM Server, this can be summarized as: |
There was a problem hiding this comment.
@karenzone WDYT about replacing with this:
The {{agent}}, {{fleet}}, {{filebeat}}, {{metricbeat}}, and {{apm-server}} binaries are built and can be configured to use FIPS 140-2 compliant cryptography.
Generally speaking FIPS 140-2 requirements can be summarized at:
|
i think it might be good to add a section to the 'FIPS for ingest tools' page for "Integrations". we have several integrations which are currently not FIPS compatible. calling these out here would avoid suprises for customers who don't learn they're unsupported until they try to install them. we list the equivalent metricbeat modules, so it makes sense to also list the Integrations that depend on them. you can see which packages are currently not FIPS compatible by checking the for cc @shmsr |
@tommyers-elastic @shmsr (and others who are interested): |
|
@karenzone by default we are saying that intergrations are compatible. but the boolean flag itself doesn't really make any promises about compliance - this is handled at the beats level (hence 'compatible', not 'compliant'). the flag is really like a hint for fleet so we can say to the customer "hey this integration isn't gonna work because it depends on modules that are not in the FIPS version of agent". hope that makes sense. |
PREVIEWS:
https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2136/deploy-manage/security/fips-140-2
https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2136/deploy-manage/security/fips-ingest
Related:
Checklist
Deploy and Manage > Security > Secureyour cluster or deployment toDeploy and Manage > Securityto allow for expansion, SEO, and findability.Note to self @karenzone: Relocating ES and Kib might require redirects