Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable agent to detect FIPS enabled hosts #4189

Merged
merged 5 commits into from
May 28, 2024
Merged

Enable agent to detect FIPS enabled hosts #4189

merged 5 commits into from
May 28, 2024

Conversation

harishxr
Copy link
Contributor

@harishxr harishxr commented May 23, 2024
edited
Loading

Summary

This pull request enables ECS Agent on linux to detect if FIPS mode is enabled on the host machine and store the detected value.

Implementation details

  • Added a new function DetectFIPSMode in the utils package (utils/fips_linux.go). This function reads the /proc/sys/crypto/fips_enabled file to check if FIPS mode is enabled.
  • Introduced a new variable isFIPSEnabled in the config package (config.go), which is initialized during the package initialization using the IsFIPSEnabled function.
  • Added logic to log the FIPS mode status during initialization for debugging purposes.
  • Created unit tests to ensure correct identification of the FIPS mode status.
  • Added a stub function DetectFIPSMode in the utils package (utils/fips_windows.go). This function will set isFIPSEnabled to false by default on Windows hosts.

Testing

  • Unit tests were added to the utils package (utils/fips_linux_test.go)
  • The unit tests cover the following scenarios:
    • FIPS mode is enabled (/proc/sys/crypto/fips_enabled contains 1).
    • FIPS mode is disabled (/proc/sys/crypto/fips_enabled contains 0).
    • FIPS mode file is non-existent.

New tests cover the changes: yes

Description for the changelog

Enable agent to detect FIPS enabled hosts

Does this PR include breaking model changes? If so, Have you added transformation functions?
No

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@harishxr harishxr requested a review from a team as a code owner May 23, 2024 17:21
sparrc
sparrc previously approved these changes May 24, 2024
View reviewed changes
singholt
singholt approved these changes May 24, 2024
View reviewed changes
Copy link
Contributor

@singholt singholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dont forget to squash your commits!

agent/utils/fips_linux_test.go Show resolved Hide resolved
@harishxr harishxr requested a review from sparrc May 24, 2024 23:09
@harishxr harishxr merged commit 9a881e2 into aws:dev May 28, 2024
40 checks passed
@Yiyuanzzz Yiyuanzzz mentioned this pull request May 28, 2024
Merged
saurabhc123 pushed a commit to saurabhc123/amazon-ecs-agent that referenced this pull request Jun 4, 2024
@harishxr @saurabhc123
Enable agent to detect FIPS enabled hosts (aws#4189)
7d7b3da 
* Enable agent to detect FIPS enabled hosts

* Add unit test for FIPS detection

* Add FIPS detection stub function for Windows

* Update unit test for FIPS detection

* Adding fips_unsupported file, fixing build tags, adding additional logging

---------

Co-authored-by: Harish Senthilkumar <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@singholt singholt singholt approved these changes

@sparrc sparrc sparrc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@harishxr @sparrc @singholt @amazon-ecs-bot