FIPS standard in DevOps Security using Ubuntu

-

Have you wondered, what's with DevSecOps , the silver bullet in the industry ? Well, there are many aspects of DevSecOps, one could speak of, but lets' talk of something that is absolute must have on your platform, if Security is the persistent requirement for your product. FIPS 140-2 data Protection Standards.

So what is FIPS-140 Standards. It enables strict requirements on cryptography algorithms, and disabling use of public key algorithms and any other scheme that might be less secured. Essentially enabled by FIPS validated packages and cryptography. Canonical has come up with Ubuntu Pro packages that are available with Ubuntu Advantage subscription. You can check if you are subscribed to Ubuntu Advantage in your Ubuntu laptop / server by running

# ua status

On a normal course of Application programming and Product making , teams don't bother about Information encryption and related standards. By making use of FIPS standard platform , facilitated by Ubuntu Advantage subscription, one can make sure the FIPS validated crypts are used leading to reduction in time taken for accreditation and reduced cost in attaining FEDRAMP compliance.

FIPS validated crypto packages makes use of following in Ubuntu 20.04: 

linux-image-fips:    The Linux Kernel Crypto API.
libssl1.1:                 The OpenSSL cryptographic backend. This includes the necessary cryptography for OpenSSH as well.
libgcrypt20:            The libgcrypt cryptographic library.
strongswan:            StrongSwan, the IPSec VPN implementation

To enable FIPS on your Ubuntu server, do following, 

# apt update

# apt install ubuntu-advantage-tools

# ua attach

# ua enable fips-updates

A reboot will be necessary, as fips kernel module are enabled. Once enabled, /proc/sys/crypto/fips_enabled file contains characters 0x31 .

Now your Server is FIPS protected. Any application code making use of encryption, will now have to make use of FIPS validated encryption, without which there would be error from compiler or interpreter of programming language.


Comments

Post a Comment

Popular posts from this blog

VLAN External Network in Openshift using NMState Operators and Multus

-
Image
NMstate operators and Multus CNI provide us with plugins and APIs, to set up external network in openshift container ecosystem. Let us see how we can implement a external VLAN networking for certain pods/VMs apart from, pods/VMs using internal cluster networking. When we install NMState operator, it avails us 3 different APIs, namely: Node Network Configuration Policy : Node level network settings implementation.          # oc get nncp Node Network State : The current state of node network is stored in this.         # oc get nns/<node-name> Node Network Configuration Enactment : The status of NNCP implementation across cluster nodes, is checked in this object.         # oc get nnce Network Attachment Definition (NAD) : Apart from above APIs, we will also make use of NAD from multus CNI plugin framework. This implements namespaced object that exposes existing layer 2 network dev...
Read more

Migrating from OpenshiftSDN to OVNKubernetes CNI

-
APIs involved in this migrations are: Network.operator.openshift.io Network.config.openshift.io Operators involved in this migrations are: Cluster Network Operator (CNO) Machine Config Operator (MCO) Refer to pre-requisite steps here , jotted in another post. Update to latest compatible z-stream .  With  that taken care, proceed below. 1> Backup existing cluster network config:      # oc get Network.config.openshift.io cluster -o yaml > cluster-openshiftSDN.yaml 2> Verify that  OVN_SDN_MIGRATION_TIMEOUT   environment variable is set and is  equal to  0s. 3> Set the migration value to null in CNO object cluster:                  # oc patch Network.operator.openshift.io cluster  -- type='merge'  --patch '{"spec":{"migration":null}}' At this time, CNO updates status of Network.config.openshift.io   CR  named  cluster accordingly. MCO rolls out an update to sys...
Read more

Updating Z-stream of version in Openshift Container Platform

-
Whenever we want to upgrade the OCP to next recommended upgrade path, we want to first move to latest patch version of major and minor version of OCP we are running. For instance, if your Openshift is version 4.15.11 (x.y.z) then, Major (x) version is 4, Minor (y) version is 15 and patch (z) version is 11. First update the master/control node and then worker nodes. The worker nodes in case of update can differ from control node by y-2. This allows to plan for update in large clusters that is staggered across in time. With that bit cleared let us see the procedure to update the z version of OCP version. 1> Just run following to lists the compatible update releases # oc adm upgrade Or run below to see available updates, # oc adm upgrade --include-not-recommended Note: Always consult the OSUS upgrade Graph for valid path upgrades 2> After having made the decision, considering impact of updates on existing set-up, go ahead and update the control node. # oc adm upgrade --to=4.15.3...
Read more