search

fluent / fluentd

Fluentd: Unified Logging Layer (project under CNCF)
https://www.fluentd.org
Apache License 2.0
12.82k stars 1.34k forks source link

FIPS support in Fluentd #3121

Open javsalgar opened 4 years ago

javsalgar commented 4 years ago

Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.

Is your feature request related to a problem? Please describe.

I would like to confirm that it is possible to configure Fluentd to only use FIPS-validated cryptography. I saw that starting with 0.14.12 there is support for SSL when forwarding. Would using a FIPS-validated OpenSSL be enough or there are other encryption functions that need to be configured in order to be FIPS-compliant (https://docs.pulsesecure.net/WebHelp/PCS/9.1R4/AG/Content/PCS/PCS_AdminGuide/Supported_Cipher_Suites_When_2.htm)

Describe the solution you'd like

A confirmation on whether using a FIPS-validated OpenSSL is enough.

Describe alternatives you've considered

n/a

repeatedly commented 4 years ago

What changes are needed in fluentd core? Need to call some OpenSSL APIs"?

agup006 commented 3 years ago

@javsalgar I'd love to better understand the use case for FIPS

OferPRTZ commented 3 years ago

Hi, any progress on this? couldn't find any other topics discussing this thread

nandu1508 commented 2 years ago

@javsalgar Please share your findings on this

seanorama commented 2 years ago

@javsalgar I'd love to better understand the use case for FIPS

Most governments require FIPS-validation. It's an absolute requirement by the US government.

sfc-gh-stopchiy commented 8 months ago

+1

gauravphagrehpe commented 6 months ago

+1

cosmo0920 commented 6 months ago

To support OpenSSL FIPS on Fluentd, users must install openssl library with FIPS support. This module sometimes isn't provided for non-commercial distribution such as Ubuntu. Ubuntu does not support FIPS on non-Pro clients: https://ubuntu.com/security/certifications/docs/fips

So, users ought to compile it with fips support by themselves if users don't use commercial distributions.

I found the some hints to enable FIPS mode:

If the FIPS enabled libraries are installed, users must enable FIPS module as follows:

config_diagnostics = 1
openssl_conf = openssl_init

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes

The current status of FIPS support on ruby/openssl is here: https://github.com/ruby/openssl/issues/603

Any thoughts, @ashie @kenhys @daipom?

kenhys commented 6 months ago

According to https://github.com/ruby/openssl/issues/603 and https://github.com/ruby/openssl/releases/tag/v3.2.0, all of FIPS support effort is not fully merged in v3.2.0, so need to wait newer ruby/openssl release. (e.g. https://github.com/ruby/openssl/pull/694 was fixed after v3.2.0)

As it depends on user environment, so it seems that there is few space to deal in Fluentd side, isn't it?

If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)

cosmo0920 commented 6 months ago

If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)

Yup. It's reasonable. We're only able to switch on/off or to detect whether FIPS is enabled or not. Under this circumstance, we're able to provide switch on/off for FIPS module with a certain parameter and decline to launch Fluentd with OpenSSL.fips_mode.