Skip to content

[DOCS] Expand FIPS compliance offerings for 8.19 #132015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[DOCS] Expand FIPS compliance offerings for 8.19 #132015

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions docs/reference/security/fips-140-compliance.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,20 @@
[role="xpack"]
[[fips-140-compliance]]
=== FIPS 140-2
=== FIPS compliance


The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard used to approve cryptographic modules.

* <<fips-es,{es}>> offers a FIPS 140-2 compliant mode and as such can run in a FIPS 140-2 configured JVM.
* link:https://www.elastic.co/guide/en/kibana/8.19/xpack-security-fips-140-2.html[{kib}] offers a FIPS 140-2 compliant mode and as such can run in a Node.js environment configured with a FIPS 140-2 compliant OpenSSL3 provider.
* Some <<fips-ingest,Ingest tools>>, including {agent}, {fleet}, {filebeat}, {metricbeat}, and APM Server, are available as FIPS compatible binaries and can be configured to use FIPS 140-2 compliant cryptography.

NOTE: If you are running {es} through {eck}, refer to link:https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s/deploy-fips-compatible-version-of-eck[ECK FIPS compatibility].

[discrete]
[[fips-es]]
=== FIPS compliance for {es}

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB
140-2), titled "Security Requirements for Cryptographic Modules" is a U.S.
government computer security standard used to approve cryptographic modules.
{es} offers a FIPS 140-2 compliant mode and as such can run in a FIPS 140-2
configured JVM.

Expand Down Expand Up @@ -275,3 +285,5 @@ features are not available while running in FIPS 140-2 mode. The list is as foll
can be later used in the FIPS 140-2 configured JVM.
* The SQL CLI client cannot run in a FIPS 140-2 configured JVM while using
TLS for transport security or PKI for client authentication.

include::fips-ingest.asciidoc[]
110 changes: 110 additions & 0 deletions docs/reference/security/fips-ingest.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
[role="xpack"]
[[fips-ingest]]
=== FIPS mode for Ingest tools
Comment on lines +1 to +3
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Content moved to Fleet and Agent Guide


preview::[]

{agent}, {fleet}, {filebeat}, {metricbeat}, and APM Server binaries are built and can be configured to use FIPS 140-2 compliant cryptography.
Generally speaking FIPS 140-2 requirements can be summarized as:

- linking against a FIPS certified cryptographic library
- using only FIPS approved cryptographic functions
- ensuring that the configuration of the component is FIPS 140-2 compliant.

[[fips-binaries]]
==== FIPS-compatible binaries and configuration

FIPS compatible binaries for {agent}, {fleet}, {filebeat}, {metricbeat}, and APM Server are available for link:https://www.elastic.co/downloads[download].
Look for the `Linux 64-bit (FIPS)` or `Linux aarch64 (FIPS)` platform option on the product download pages for {agent} and {fleet}, {filebeat}, and {metricbeat}.
Look for the `Linux x86_64 (FIPS)` or `Linux aarch64 (FIPS)` platform option on the APM Server download page.

IMPORTANT: The default configurations provided in the binaries are FIPS compatible. Be sure to check and understand the implications of changing default configurations.

[[ingest-limitations-all]]
==== Limitations

[[ingest-limitations-tls]]
===== TLS

Only FIPS 140-2 compliant TLS protocols, ciphers, and curve types are allowed to be used:

* The supported TLS versions are `TLS v1.2` and `TLS v1.3`.
* The supported cipher suites are:

** `TLS v1.2`: `ECDHE-RSA-AES-128-GCM-SHA256`, `ECDHE-RSA-AES-256-GCM-SHA384`, `ECDHE-ECDSA-AES-128-GCM-SHA256`, `ECDHE-ECDSA-AES-256-GCM-SHA384`
** `TLS v1.3`: `TLS-AES-128-GCM-SHA256`, `TLS-AES-256-GCM-SHA384`

* The supported curve types are `P-256`, `P-384` and `P-521`.

Support for encrypted private keys is not available, as the cryptographic modules used for decrypting password protected keys are not FIPS validated. If an output or any other component with an SSL key that is password protected is configured, the components will fail to load the key. When running in FIPS mode, you must provide non-encrypted keys.
Be sure to enforce security in your FIPS environments through other means, such as strict file permissions and access controls on the key file itself, for example.

These TLS related restrictions apply to all components listed--{agent}, {fleet}, {filebeat}, {metricbeat}, and APM Server.

[[ingest-inputoutput-limitations]]
===== General output and input limitations (Kerberos protocol)

The Kerberos protocol is not supported for any output or input, which also impacts the available `sasl.mechanism` for the Kafka output where only `PLAIN` is supported.

This impacts link:https://www.elastic.co/guide/en/beats/filebeat/8.19/configuration-kerberos.html[Filebeat], link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/configuration-kerberos.html[Metricbeat], and APM Server, as well as output configurations for {agent} with {fleet-server}.

[[ingest-apm-limitations]]
===== APM Server

* The link:https://www.elastic.co/guide/en/observability/8.19/apm-keystore.html[Secrets Keystore] is not supported.

// `{observability-guide}` attribute resolving to 8.x and `404`-ing
// * The link:{observability-guide}/apm-keystore.html[Secrets Keystore] is not supported.

[[ingest-filebeat-limitations]]
===== Filebeat

// `{filebeat-ref}` attribute resolving to 8.x and `404`-ing
// * The link:{filebeat-ref}/keystore.html[Secrets Keystore] is not supported.

* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/keystore.html[Secrets Keystore] is not supported.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/processor-translate-guid.html[Translate GUID processor] is not supported.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/fingerprint.html[Fingerprint processor] does not support the md5 and sha1 method.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/community-id.html[Community ID Network Flowhash processor] is not supported.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-module-azure.html[Azure module] including the link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-input-azure-eventhub.html[Azure eventhub input] and the link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-input-azure-blob-storage.html[Azure Blob Storage Input] are not currently supported.
The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/add-cloud-metadata.html[Add Cloud Metadata processor] does not support the Azure Virtual Machine provider currently.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-module-o365.html[Office 365 module (Beta)] and the link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-input-o365audi.html[Office 365 input (Deprecated)] are not supported.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-input-gcp-pubsub.html[GCP Pub/Sub input] and the link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-input-gcs.html[Google Cloud Storage input] are not supported for now.
* The link:https://www.elastic.co/guide/en/beats/filebeat/8.19/filebeat-input-entity-analytics.html[Entity Analytics input] is not supported.

[[ingest-metricbeat-limitations]]
===== Metricbeat

// `{metricbeat-ref}` attribute resolving to 8.x and `404`-ing
// * The link:{metricbeat-ref}/keystore.html[Secrets Keystore] is not supported.

* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/keystore.html[Secrets Keystore] is not supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/processor-translate-guid.html[Translate GUID processor] is not supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/fingerprint.html[Fingerprint processor] does not support the md5 and sha1 method.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/community-id.html[Community ID Network Flowhash processor] is not supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-azure.html[Azure module] is currently not supported.
The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/add-cloud-metadata.html[Add Cloud Metadata processor] does not support the Azure Virtual Machine provider currently.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-gcp.html[Google Cloud Platform module] is currently not supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-kvm.html[Beta KVM module] is not yet supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-mongodb.html[Mongo DB module] is not supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-mysql.html[MySQL], link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-postgresql.html[PostgreSQL], link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-mssql.html[MSSQL] and link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-sql.html[SQL] modules are not supported.
* The link:https://www.elastic.co/guide/en/beats/metricbeat/8.19/metricbeat-module-oracle.html[Oracle module] is not supported.

[[ingest-limitations-agent]]
===== Elastic Agent and Fleet Server

When you use {agent} and {fleet-server}, these limitations apply:

* Running {agent} in link:https://github.com/elastic/elastic-agent/blob/main/internal/pkg/otel/README.md[OpenTelemetry mode] is not yet supported.
This includes all receivers, such as Filebeat Receiver, Metricbeat Receiver, and link:https://www.elastic.co/docs/reference/integrations/prometheus[Prometheus Receiver].
* Some Elastic Integrations are not FIPS compatible, as they depend on functionality that is not yet supported for FIPS configuration.
In general, when using {agent} and {fleet-server}, the same restrictions listed previously for {metricbeat} and {filebeat} modules, inputs, and processors apply.
* These Elastic Integrations have components that are **not** FIPS compatible, and **cannot** be used in FIPS environments, even if combined with other ingest tools that offer FIPS mode.

- link:https://www.elastic.co/docs/reference/integrations/azure/events[Azure Logs Integration (v2 preview)]
- link:https://www.elastic.co/docs/reference/integrations/azure/eventhub[Azure Event Hub Input]
- link:https://www.elastic.co/docs/reference/integrations/postgresql[PostgreSQL Integration]
- link:https://www.elastic.co/docs/reference/integrations/mongodb[MongoDB Integration]
- link:https://www.elastic.co/docs/reference/integrations/mysql[MySQL Integration]
- link:https://www.elastic.co/docs/reference/integrations/microsoft_sqlserver[Microsoft SQL Server Integration]
- link:https://www.elastic.co/docs/reference/integrations/oracle[Oracle Integration]