Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS compliance #8435

Open
jszwedko opened this issue Jul 23, 2021 · 7 comments
Open

FIPS compliance #8435

jszwedko opened this issue Jul 23, 2021 · 7 comments
Labels
domain: security Anything related to security type: feature A value-adding code addition that introduce new functionality.

Comments

@jszwedko
Copy link
Member

A couple of users in discord have asked about FIPS compliance with regards to Vector:

I'm not entirely sure what all would be involved to have Vector be FIPS compliant, but at the least it seems like it'd be compiling using this openssl module: https://www.openssl.org/docs/fips.html (probably optionally)

This appears to be required for running applications in AWS GovCloud.
@jszwedko jszwedko added the type: feature A value-adding code addition that introduce new functionality. label Jul 23, 2021
@Datawiz0
Copy link

@jszwedko AFIK Vector is FIPS compliant if running on a FIPS compliant environment, For instance Openshift 4.9 is FIPS compliant and have introduced Vector as alternative to Fluentd and I beleive they are still claiming FIPS complaince ;)

@jcantrill
Copy link

@jszwedko AFIK Vector is FIPS compliant if running on a FIPS compliant environment, For instance Openshift 4.9 is FIPS compliant and have introduced Vector as alternative to Fluentd and I beleive they are still claiming FIPS complaince ;)

I'm the lead of our logging team looking to introduce Vector as an alternate collector in OpenShift Logging 5.5 (~OCP 4.10) as a tech preview. I would be interested in understanding who "they" in this reference; our team has a release pending in days and I know of no other. We are only able to claim FIPS compliance if we are utilizing openSSL that ships with RHEL/CoreOS but otherwise I don't believe we make any explicit statement

Is there any work planned to address this issue? Is there a place where we can assist to make these changes?

@jszwedko
Copy link
Member Author

Hi @jcantrill !

Thanks for the notes. We have this on our backlog but it hasn't been scheduled yet. I think we first just need to identify what needs to be done to make Vector FIPS compliant.

@syedriko
Copy link
Contributor

syedriko commented Apr 28, 2022
edited
Loading

Hi @jszwedko! Making Vector FIPS compliant would involve using exclusively a FIPS-audited crypto implementation for all crypto needs. On RHEL/CoreOS that's OpenSSL, supplied by the OS, linked to Vector dynamically. ring has not been FIPS-auditied. It appears the most interesting part of this work is going to be not with Vector itself, but with it's (transitive) dependencies. For example, the AWS Rust SDK depends on ring directly. rustls is having a discussion along these lines rustls/rustls#521.
Just for an idea what else depends on ring (that's for the feature set we at OpenShift care about):

$ cargo tree -i ring --no-default-features --features ocp-logging
ring v0.16.20
├── aws-config v0.9.0
│   └── vector v0.21.0 
├── aws-sigv4 v0.9.0
│   ├── aws-sig-auth v0.9.0
│   │   ├── aws-sdk-cloudwatchlogs v0.9.0
│   │   │   └── vector v0.21.0 
│   │   ├── aws-sdk-sso v0.9.0
│   │   │   └── aws-config v0.9.0 (*)
│   │   └── aws-sdk-sts v0.9.0
│   │       └── aws-config v0.9.0 (*)
│   └── vector v0.21.0 
├── azure_storage v0.1.0 (https://github.com/Azure/azure-sdk-for-rust.git?rev=3ca5610b959b3b6b77bb88da09f0764b605b01bc#3ca5610b)
│   └── azure_storage_blobs v0.1.0 (https://github.com/Azure/azure-sdk-for-rust.git?rev=3ca5610b959b3b6b77bb88da09f0764b605b01bc#3ca5610b)
│       [dev-dependencies]
│       └── vector v0.21.0 
│   [dev-dependencies]
│   └── vector v0.21.0 
├── rustls v0.19.1
│   ├── bollard v0.11.1
│   │   └── vector v0.21.0 
│   ├── hyper-rustls v0.22.1
│   │   ├── aws-smithy-client v0.39.0
│   │   │   ├── aws-config v0.9.0 (*)
│   │   │   ├── aws-sdk-cloudwatchlogs v0.9.0 (*)
│   │   │   ├── aws-sdk-sso v0.9.0 (*)
│   │   │   ├── aws-sdk-sts v0.9.0 (*)
│   │   │   ├── aws-types v0.9.0
│   │   │   │   ├── aws-config v0.9.0 (*)
│   │   │   │   ├── aws-endpoint v0.9.0
│   │   │   │   │   ├── aws-sdk-cloudwatchlogs v0.9.0 (*)
│   │   │   │   │   ├── aws-sdk-sso v0.9.0 (*)
│   │   │   │   │   └── aws-sdk-sts v0.9.0 (*)
│   │   │   │   ├── aws-http v0.9.0
│   │   │   │   │   ├── aws-config v0.9.0 (*)
│   │   │   │   │   ├── aws-sdk-cloudwatchlogs v0.9.0 (*)
│   │   │   │   │   ├── aws-sdk-sso v0.9.0 (*)
│   │   │   │   │   └── aws-sdk-sts v0.9.0 (*)
│   │   │   │   ├── aws-sdk-cloudwatchlogs v0.9.0 (*)
│   │   │   │   ├── aws-sdk-sso v0.9.0 (*)
│   │   │   │   ├── aws-sdk-sts v0.9.0 (*)
│   │   │   │   ├── aws-sig-auth v0.9.0 (*)
│   │   │   │   └── vector v0.21.0 
│   │   │   └── vector v0.21.0 
│   │   └── bollard v0.11.1 (*)
│   ├── rustls-native-certs v0.5.0
│   │   ├── bollard v0.11.1 (*)
│   │   └── hyper-rustls v0.22.1 (*)
│   └── tokio-rustls v0.22.0
│       └── hyper-rustls v0.22.1 (*)
├── sct v0.6.1
│   ├── ct-logs v0.8.0
│   │   ├── bollard v0.11.1 (*)
│   │   └── hyper-rustls v0.22.1 (*)
│   └── rustls v0.19.1 (*)
└── webpki v0.21.4
    ├── hyper-rustls v0.22.1 (*)
    ├── rustls v0.19.1 (*)
    ├── tokio-rustls v0.22.0 (*)
    └── webpki-roots v0.21.1
        └── bollard v0.11.1 (*)

@syedriko
Copy link
Contributor

syedriko commented Jul 5, 2022

For the sake of cross-referencing, here is the AWS Rust SDK issue and PR on making OpenSSL the exclusive crypto provider:
smithy-lang/smithy-rs#1529
smithy-lang/smithy-rs#1530

@syedriko syedriko mentioned this issue Jul 5, 2022
Closed
jszwedko added a commit that referenced this issue Feb 7, 2023
@jszwedko
chore(aws provider): Switch to native-tls
536994b 
The bulk of our dependencies use OpenSSL so we prefer it when possible to reduce variance. We may
also consider [FIPS compliance](#8435) in the future;
which rustls does not have support.

Closes: #15905

Signed-off-by: Jesse Szwedko <[email protected]>
@jszwedko jszwedko mentioned this issue Feb 7, 2023
Merged
jszwedko added a commit that referenced this issue Feb 8, 2023
@jszwedko @spencergilbert
chore(aws provider): Switch to native-tls (#16335)
3c5e4f5 
* chore(aws provider): Switch to native-tls

The bulk of our dependencies use OpenSSL so we prefer it when possible to reduce variance. We may
also consider [FIPS compliance](#8435) in the future;
which rustls does not have support.

Closes: #15905

Signed-off-by: Jesse Szwedko <[email protected]>

* Add upgrade note

Signed-off-by: Jesse Szwedko <[email protected]>

* Update website/content/en/highlights/2023-02-28-0-28-0-upgrade-guide.md

Co-authored-by: Spencer Gilbert <[email protected]>

---------

Signed-off-by: Jesse Szwedko <[email protected]>
Co-authored-by: Spencer Gilbert <[email protected]>
@syedriko syedriko mentioned this issue Feb 21, 2023
Open
@jszwedko jszwedko added the domain: security Anything related to security label Feb 24, 2023
@jszwedko
Copy link
Member Author

Notably we added VRL encryption/decryption functions using pure Rust implementations which will likely be impacted by this initiative.

@jszwedko jszwedko mentioned this issue Aug 14, 2023
Closed
@pront pront mentioned this issue Jan 31, 2025
Open
@pront
Copy link
Member

pront commented Jan 31, 2025

There was some progress on this but also quite a bit of friction:

Fortunately, there's no hard blocker. Someone can resurrect PR #21504

@pront pront mentioned this issue Feb 28, 2025
Draft
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
domain: security Anything related to security type: feature A value-adding code addition that introduce new functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jszwedko @pront @jcantrill @Datawiz0 @syedriko