Add FIPS switch #19179
Open
Add FIPS switch #19179
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
3 times, most recently
from
83c8f4b to
d13d060
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
5 times, most recently
from
83f3a46 to
7811081
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
11 times, most recently
from
4b47e1d to
f7bc5be
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
6 times, most recently
from
7f98a36 to
3b6c7e2
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
2 times, most recently
from
1f4c5dc to
576fd61
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
8 times, most recently
from
34141ab to
bc5a3bf
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
from
bc5a3bf to
2594fcd
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
5 times, most recently
from
d140e29 to
c25c9f7
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
from
c25c9f7 to
77508be
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
3 times, most recently
from
44cd2bc to
ef6c3e0
Compare
dkirov-dd
force-pushed
the
david.kirov/fips-switch
branch
from
ef6c3e0 to
fda181f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR adds the following functionality to the AgentCheck base class:
GOFIPSenvironment variable is set to 1, theOPENSSL_CONFandOPENSSL_MODULESenvironment variables are modified in order to point all OpenSSL binaries to the desired configuration and modules.Motivation
We want to ensure that all integrations can function in a FIPS compliant mode if it is necessary.
Implementation decisions
The
GOFIPSenvironment variable was set as the FIPS toggle indicator by the ASC team.Environment variables were preferred to C function calls for two main reasons for simplicity and reliability. The limitation of environment variables is that they have no effect on already loaded OpenSSL configurations. However, since there is no requirement for a toggle to FIPS mode during runtime, this is not an issue as we can load the correct configuration on startup.
The reason why the implementation should live in the base check is to be as close to the start of the Python process as possible, to prevent any OpenSSL configuration loading before the env vars are set.
Testing
Two types of automated tests were attempted:
enable_fipsoutside of the Agent container environment. These tests are verify that our FIPS switch has an effect on cryptographic libraries likesslandcryptography. They are run in thetest-fipsworkflow which is very much experimental.Review checklist (to be filled by reviewers)
qa/skip-qalabel if the PR doesn't need to be tested during QA.backport/<branch-name>label to the PR and it will automatically open a backport PR once this one is merged