Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add FIPS report to the API #3894

Merged
merged 4 commits into from
Apr 23, 2024
Merged

add FIPS report to the API #3894

merged 4 commits into from
Apr 23, 2024

Conversation

bcressey
Copy link
Contributor

Issue number:
Related: #1667

Description of changes:
Add a FIPS report to the API so that apiclient report fips can indicate whether FIPS mode is enabled.

The existing framework has fixed strings in the output like "benchmark" and "level" that are CIS-specific, along with the numbered steps. It's not perfect but it also didn't offend my aesthetic sensibilities enough to create a parallel set of FIPS-specific types to be used in either the text or JSON output.

Testing done:
Ran the report on an EC2 instance.

$ apiclient report fips
Benchmark name:  FIPS Security Policy
Version:         v1.0.0
Reference:       https://csrc.nist.gov/
Benchmark level: 1
Start time:      2024-04-12T18:45:04.108220818Z

[PASS] 1.0       FIPS mode is enabled. (Automatic)
[PASS] 1.1       FIPS module is Amazon Linux 2023 Kernel Cryptographic API. (Automatic)
[PASS] 1.2       FIPS self-tests passed. (Automatic)

Passed:          3
Failed:          0
Skipped:         0
Total checks:    3

The JSON formatted report also works.

$ apiclient report fips -f json|jq .
{
  "level": 1,
  "total": 3,
  "passed": 3,
  "skipped": 0,
  "failed": 0,
  "status": "PASS",
  "timestamp": "2024-04-12T18:44:23.836730040Z",
  "name": "FIPS Security Policy",
  "version": "v1.0.0",
  "url": "https://csrc.nist.gov/",
  "results": {
    "fips01000000": {
      "name": "fips01000000",
      "id": "1.0",
      "level": 0,
      "title": "FIPS mode is enabled.",
      "mode": "Automatic",
      "status": "PASS",
      "error": ""
    },
    "fips01010000": {
      "name": "fips01010000",
      "id": "1.1",
      "level": 0,
      "title": "FIPS module is Amazon Linux 2023 Kernel Cryptographic API.",
      "mode": "Automatic",
      "status": "PASS",
      "error": ""
    },
    "fips01020000": {
      "name": "fips01020000",
      "id": "1.2",
      "level": 0,
      "title": "FIPS self-tests passed.",
      "mode": "Automatic",
      "status": "PASS",
      "error": ""
    }
  }
}

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey bcressey requested review from arnaldo2792 and yeazelm April 12, 2024 18:49
@bcressey
Copy link
Contributor Author

⬆️ force push fixes formatting

bcressey added 4 commits April 12, 2024 22:26
@bcressey
bloodhound: rename existing CIS checks
557604c 
As a preliminary step to support reports other than CIS benchmarks,
rename the existing checks to reflect that they are CIS-related.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
os: always package the bloodhound k8s cis checks
ad4be94 
`bloodhound` does not rely on conditional-compilation, and only used
bconds as a way to pull in the Kubernetes CIS checks for variants
with the k8s runtime.

Move the Kubernetes CIS checks to a subpackage, and switch to boolean
dependencies to install them as needed.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
bloodhound: add FIPS report and checks
19663ee 
The FIPS report includes checks for elements that are expected to be
in the eventual FIPS Security Policy for the Amazon Linux 2023 kernel
cryptographic module.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
api: add FIPS report to client and server
5c709cf 
Add a server endpoint for generating a FIPS report, and extend the
client with a subcommand to call it. The goal is to enable a Crypto
Officer without direct access to the underlying host to verify that
the system is operating in the approved mode.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
Copy link
Contributor Author

⬆️ force push for rebase

@bcressey bcressey merged commit a72ce36 into bottlerocket-os:develop Apr 23, 2024
35 checks passed
@bcressey bcressey deleted the bloodhound-fips branch April 23, 2024 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yeazelm yeazelm yeazelm approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @arnaldo2792 @yeazelm