Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-fips', '0.5.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup
- > FIPS mode disables md5 hashing at a library level. Enabling it may have unintended consequences.
- > method to consistently configure all SIMP modules with your intended FIPS mode.
- Reference
- Limitations
- Development
Description
This module enables Federal Information Processing Standard(FIPS) mode at the kernel level. FIPS Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules. FIPS publications (including 140-2) can be found at the following URL: http://csrc.nist.gov/publications/PubsFIPS.html. Enabling FIPS mode installs an integrity checking package and modifies ciphers available for applications to use.
This module manages the kernel parameters and packages required for enabling FIPS mode in supported operating systems.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they may be submitted to our bug tracker.
Setup
What fips affects
WARNING
FIPS mode disables md5 hashing at a library level. Enabling it may have unintended consequences.
- Kernel parameters and Grub
- Dracut and initrd
- Packages:
- nss
- dracut-fips
- fipscheck
Beginning with fips
Include the fips
class.
- By default, this will enable FIPS mode.
- To ensure that FIPS mode is disabled, set
simp_options::fips
tofalse
.- Do not set
fips::enabled
directly tofalse
―it defaults to the value ofsimp_options::fips
(as do the FIPS-related parameters of all other SIMP modules).
- Do not set
IMPORTANT
Setting
simp_options::fips
to eithertrue
orfalse
is by far the bestmethod to consistently configure all SIMP modules with your intended FIPS mode.
Reference
See REFERENCE.md for details.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the metadata.json
file
for the most up-to-date list of supported operating systems, Puppet versions,
and module dependencies.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers.
By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
fips
: This module manages the enabling and disabling of FIPS on a system It will set the kernel boot parametes and install/remove the dracut packag
Classes
fips
This module manages the enabling and disabling of FIPS on a system It will set the kernel boot parametes and install/remove the dracut packages and rebuild initramfs images.
Changing the FIPS status of a system changes the cryptographic modules used. This can affect existing keys and certificates and make them unusable. Make sure these effects are understood before changing the status.
NOTE: The preferred method yo set FIPS mode consistently across ALL
ALL SIMP modules is to set simp_options::fips
to true
in Hiera.
Parameters
The following parameters are available in the fips
class:
enabled
Data type: Boolean
If FIPS should be enabled or disabled on the system.
- NOTE: Given the dangerous nature of FIPS unexpectedly being activated on a system, this module mirrors the existing status of FIPS on the system to which it is applied.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => $facts['fips_enabled']})
aesni
Data type: Boolean
This parameter indicates whether the system uses the Advanced Encryption Standard New Instructions set.
Default value: (
dracut_ensure
Data type: String
The ensure status of the dracut-fips and dracut-fips-aesni packages
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
fipscheck_ensure
Data type: String
The ensure status of the fipscheck package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
nss_ensure
Data type: String
The ensure status of the nss package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.5.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Thu Jan 21 2021 Trevor Vaughan tvaughan@onyxpoint.com - 0.4.5
- Fixed:
- Now use the simplibcrypto_policy_state fact instead of crypto_policystate due to module dependency issues.
- Wed Dec 23 2020 Trevor Vaughan tvaughan@onyxpoint.com - 0.4.4
- Fixed:
- Ensure that dracut_rebuild is called when the fips kernel parameter is changed
- Try to call fips-mode-setup (EL8+) before falling back to the raw dracut command
- Fixed the acceptance test fact checks
- Changed:
- Added Puppet 7 support
- Fri Dec 18 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.4.4
- Removed EL6 support
- Wed Sep 30 2020 Trevor Vaughan tvaughan@onyxpoint.com - 0.4.3-0
- Fix: Update the beaker nodesets to embed the SSH crypto configuration.
- This prevents issues when the underlying user's SSH settings would not otherwise allow FIPS-compatible algorithms for older systems.
- Wed Sep 16 2020 Liz Nemsick lnemsick.simp@gmail.com - 0.4.2-0
- Advertise OEL8 support in the metadata.json.
- Wed May 13 2020 Trevor Vaughan tvaughan@onyxpoint.com - 0.4.1-0
- Ensure that EL8 updates trigger updating the global system crypto policy since some subsystems now ignore the local configuration by default.
- Tue Dec 10 2019 Trevor Vaughan tvaughan@onyxpoint.com - 0.4.0-0
- Add EL8 support
- Add REFERENCE.md
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 0.3.0-0
- Add v2 compliance_markup data
- Thu Mar 28 2019 Jim Anderson thesemicolons@protonmail.com - 0.2.2-0
- Moved code for defining $aesni from params.pp to init.pp
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.2.1-0
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Thu Oct 11 2018 Nick Miller nick.miller@onyxpoint.com - 0.2.0-0
- Added $dracut_ensure, $fipscheck_ensure and $nss_ensure parameters
- Changed the packages from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Update badges and contribution guide URL in the README.md
- Thu Jul 12 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.0-0
- Added support for OEL and Puppet 5
- Add a message to the reboot_notify resource to be more helpful
- Mon Feb 26 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.4-0
- Updated testing configurations including GCE suite information, .travis.yml and .gitab-ci.yml.
- Sat Sep 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.3-0
- Updated to latest augeasproviders_grub version. New module had no functionality impacts.
- Fri May 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.2-0
- Including the FIPS module was causing FIPS mode to be enabled by default. This had high potential for causing issues, as evidenced by our acceptance tests, so we now mirror the 'enabled' state of the module based on whether or not FIPS is already enabled on the target system.
- Update puppet dependency in metadata.json
- Fri May 05 2017 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.2-0
- Created a work-around for an undocumented issue where /boot is not on its own partition but is added to the kernel parameters with fips=1. This situation ends up creating a kernel panic on the system until the boot= entry is removed from the kernel boot line.
- Added tests against GCE since that is the default image configuration on those systems.
- Thu Mar 23 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.1.1-0
- The simp_options::fips catalyst did not disable fips; changed enable variable to default to simp_options::fips
- Moved check for OS family from params to init
- Added package remove for dracut-fips packages if fips is disabled
Dependencies
- simp/simplib (>= 4.7.0 < 5.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- herculesteam/augeasproviders_core (>= 2.1.1 < 3.0.0)
- herculesteam/augeasproviders_grub (>= 2.3.1 < 4.0.0)
fips - A SIMP module for managing FIPS Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.