search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.77k stars 8.17k forks source link

Verify Fleet Messaging Service can sign messages in FIPS mode #195282

Open kc13greiner opened 8 hours ago

kc13greiner commented 8 hours ago

Summary

Verify Fleet message signing service works in FIPS mode

Details

While running the new Jest FIPS pipeline I noticed an error while running x-pack/plugins/fleet/server/services/security/message_signing_service.test.ts

https://github.com/elastic/kibana/blob/17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f/x-pack/plugins/fleet/server/services/security/message_signing_service.test.ts#L192-L211

Specifically this code:

https://github.com/elastic/kibana/blob/17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f/x-pack/plugins/fleet/server/services/security/message_signing_service.ts#L128-L132

Based on the code, everything looks FIPS compliant, and the Key Pair generation looks good as well.

I "patched" some other errors for this image (related https://github.com/elastic/kibana/issues/194944) so I could have this image build.

Once the other errors were patched, the failing jest test above started passing 🤔

I was unable to reproduce the failing test in my local FIPS env, so it was always suspicious.

I would like to verify that this functionality works as expected in FIPS mode, but I am not familiar enough with Fleet to do so.

Setup a FIPS environment locally

Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use a 9.0.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-9.9.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch

In a new terminal window, navigate to your the top level of your elasticsearch folder and run: curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"

This will enable the trial license for ES.

Ensure you have Docker running locally.

From any command line, run:

docker run --rm -it \
-v "$(pwd)"/config/keyStore.p12:/keyStore.p12:ro \
-e XPACK_SECURITY_FIPSMODE_ENABLED='true' \
-p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:9.0.0-SNAPSHOT-412a745685504415e750e90a8815a36ae0327c45

This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs.

elasticmachine commented 8 hours ago

Pinging @elastic/fleet (Team:Fleet)

elasticmachine commented 8 hours ago

Pinging @elastic/kibana-security (Team:Security)

jlind23 commented 7 hours ago

Hey @ferullo, iirc this service is owned by your team. Would you mind having a look?