Add license check for FIPS #181187
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| [[xpack-security-fips-140-2]] | ||
| === FIPS 140-2 | ||
|
|
||
| experimental::[] | ||
|
|
||
| The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), | ||
| titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard | ||
| used to approve cryptographic modules. | ||
|
|
||
| {kib} offers a FIPS 140-2 compliant mode and as such can run in a Node.js environment configured with a FIPS | ||
| 140-2 compliant OpenSSL3 provider. | ||
|
|
||
| To run {kib} in FIPS mode, you must have the appropriate {subscriptions}[subscription]. | ||
|
|
||
| [IMPORTANT] | ||
| ============================================================================ | ||
| The Node bundled with {kib} is not configured for FIPS 140-2. You must configure a FIPS 140-2 compliant OpenSSL3 | ||
| provider. Consult the Node.js documentation to learn how to configure your environment. | ||
| ============================================================================ | ||
|
|
||
| For {kib}, adherence to FIPS 140-2 is ensured by: | ||
|
|
||
| * Using FIPS approved / NIST recommended cryptographic algorithms. | ||
|
|
||
| * Delegating the implementation of these cryptographic algorithms to a NIST validated cryptographic module | ||
| (available via Node.js configured with an OpenSSL3 provider). | ||
|
|
||
| * Allowing the configuration of {kib} in a FIPS 140-2 compliant manner, as documented below. | ||
|
|
||
| ==== Configuring {kib} for FIPS 140-2 | ||
|
There was a problem hiding this comment. Do we need to do anything about Lines 14 to 15 in 975eeed There was a problem hiding this comment. Good question 😅 Im not sure how that conflicts in a FIPS setup. I can do some investigation. Is there anyway the KB admin could override this currently? There was a problem hiding this comment. It can be removed, Kibana archives will have this at There was a problem hiding this comment. I think it's ok to leave. You can use multiple providers alongside the FIPS provider. In #183777 I ran the FIPS agent pipeline appending FIPS options to the existing There was a problem hiding this comment. Ok, we should be able to leave it: When I configure node with: It runs with the legacy provider (w/o FIPS) and allows 
If I include 
|
||
|
|
||
| Apart from setting `xpack.security.experimental.fipsMode.enabled` to `true` in your {kib} config, a number of security related | ||
| settings need to be reviewed and configured in order to run {kib} successfully in a FIPS 140-2 compliant Node.js | ||
| environment. | ||
|
|
||
| ===== Kibana keystore | ||
|
|
||
| FIPS 140-2 (via NIST Special Publication 800-132) dictates that encryption keys should at least have an effective | ||
| strength of 112 bits. As such, the Kibana keystore that stores the application’s secure settings needs to be | ||
| password protected with a password that satisfies this requirement. This means that the password needs to be 14 bytes | ||
| long which is equivalent to a 14 character ASCII encoded password, or a 7 character UTF-8 encoded password. | ||
|
|
||
| For more information on how to set this password, refer to the <<change-password,keystore documentation>>. | ||
|
|
||
| ===== TLS keystore and keys | ||
|
|
||
| Keystores can be used in a number of General TLS settings in order to conveniently store key and trust material. | ||
| PKCS#12 keystores cannot be used in a FIPS 140-2 compliant Node.js environment. Avoid using these types of keystores. | ||
| Your FIPS 140-2 provider may provide a compliant keystore implementation that can be used, or you can use PEM encoded | ||
| files. To use PEM encoded key material, you can use the relevant `\*.key` and `*.certificate` configuration options, | ||
| and for trust material you can use `*.certificate_authorities`. | ||
|
|
||
| As an example, avoid PKCS#12 specific settings such as: | ||
|
|
||
| * `server.ssl.keystore.path` | ||
| * `server.ssl.truststore.path` | ||
| * `elasticsearch.ssl.keystore.path` | ||
| * `elasticsearch.ssl.truststore.path` | ||
|
|
||
| ===== Limitations | ||
|
|
||
| Configuring {kib} to run in FIPS mode is still considered to be experimental. Not all features are guaranteed to | ||
| function as expected. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
| * in compliance with, at your election, the Elastic License 2.0 or the Server | ||
| * Side Public License, v 1. | ||
| */ | ||
|
|
||
| import { SecurityServiceConfigType } from '../utils'; | ||
| import { isFipsEnabled } from './fips'; | ||
|
|
||
| describe('fips', () => { | ||
| describe('#isFipsEnabled', () => { | ||
| let config: SecurityServiceConfigType; | ||
|
|
||
| beforeAll(() => { | ||
| config = {}; | ||
| }); | ||
|
|
||
| afterEach(() => { | ||
| config = {}; | ||
| }); | ||
|
There was a problem hiding this comment. NIT: I would ditch that part, given each test manually declare the config it need for its assertion. There was a problem hiding this comment. Fixed in 7b7ed01 |
||
|
|
||
| it('should return `true` if config.experimental.fipsMode.enabled is `true`', () => { | ||
| config = { experimental: { fipsMode: { enabled: true } } }; | ||
|
|
||
| expect(isFipsEnabled(config)).toBe(true); | ||
| }); | ||
|
|
||
| it('should return `false` if config.experimental.fipsMode.enabled is `false`', () => { | ||
| config = { experimental: { fipsMode: { enabled: false } } }; | ||
|
|
||
| expect(isFipsEnabled(config)).toBe(false); | ||
| }); | ||
|
|
||
| it('should return `false` if config.experimental.fipsMode.enabled is `undefined`', () => { | ||
| expect(isFipsEnabled(config)).toBe(false); | ||
| }); | ||
| }); | ||
| }); | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
| * in compliance with, at your election, the Elastic License 2.0 or the Server | ||
| * Side Public License, v 1. | ||
| */ | ||
|
|
||
| import { SecurityServiceConfigType } from '../utils'; | ||
|
|
||
| export function isFipsEnabled(config: SecurityServiceConfigType): boolean { | ||
| return config?.experimental?.fipsMode?.enabled || false; | ||
|
There was a problem hiding this comment. NIT: There was a problem hiding this comment. Fixed in 7b7ed01 |
||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,30 +9,57 @@ | |
| import type { Logger } from '@kbn/logging'; | ||
| import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; | ||
| import type { CoreSecurityDelegateContract } from '@kbn/core-security-server'; | ||
| import { Observable, Subscription } from 'rxjs'; | ||
| import { Config } from '@kbn/config'; | ||
| import { isFipsEnabled } from './fips/fips'; | ||
| import type { | ||
| InternalSecurityServiceSetup, | ||
| InternalSecurityServiceStart, | ||
| } from './internal_contracts'; | ||
| import { | ||
| getDefaultSecurityImplementation, | ||
| convertSecurityApi, | ||
| SecurityServiceConfigType, | ||
| } from './utils'; | ||
|
|
||
| export class SecurityService | ||
| implements CoreService<InternalSecurityServiceSetup, InternalSecurityServiceStart> | ||
| { | ||
| private readonly log: Logger; | ||
| private securityApi?: CoreSecurityDelegateContract; | ||
| private config$: Observable<Config>; | ||
| private configSubscription?: Subscription; | ||
| private config: Config | undefined; | ||
| private readonly getConfig = () => { | ||
| if (!this.config) { | ||
| throw new Error('Config is not available.'); | ||
| } | ||
| return this.config; | ||
| }; | ||
|
|
||
| constructor(coreContext: CoreContext) { | ||
| this.log = coreContext.logger.get('security-service'); | ||
|
|
||
| this.config$ = coreContext.configService.getConfig$(); | ||
| this.configSubscription = this.config$.subscribe((config) => { | ||
| this.config = config; | ||
| }); | ||
| } | ||
|
|
||
| public setup(): InternalSecurityServiceSetup { | ||
| const config = this.getConfig(); | ||
| const securityConfig: SecurityServiceConfigType = config.get(['xpack', 'security']); | ||
|
There was a problem hiding this comment. Oh, yeah... I overlooked we would need to access the security plugin's config from our core service for that feature 🙈. With our security-in-core initiative, I think we'll want to move the security config from Without doing so, I agree that hacking around and accessing the raw config is the most pragmatic approach. It's absolutely against a dozen Core principles though, so would you mind opening a follow-up issue, just to keep track (and discuss) of moving the security config schema/registration to Core? There was a problem hiding this comment. Follow up issue: #186863 Ill make a note to update this code once we move the config over |
||
|
|
||
| return { | ||
| registerSecurityDelegate: (api) => { | ||
| if (this.securityApi) { | ||
| throw new Error('security API can only be registered once'); | ||
| } | ||
| this.securityApi = api; | ||
| }, | ||
| fips: { | ||
| isEnabled: () => isFipsEnabled(securityConfig), | ||
| }, | ||
| }; | ||
| } | ||
|
|
||
|
|
@@ -44,5 +71,10 @@ export class SecurityService | |
| return convertSecurityApi(apiContract); | ||
| } | ||
|
|
||
| public stop() { | ||
| if (this.configSubscription) { | ||
| this.configSubscription.unsubscribe(); | ||
| this.configSubscription = undefined; | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,5 +20,6 @@ | |
| "@kbn/core-http-server", | ||
| "@kbn/logging-mocks", | ||
| "@kbn/core-base-server-mocks", | ||
| "@kbn/config", | ||
| ] | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,6 +6,7 @@ | |
| * Side Public License, v 1. | ||
| */ | ||
|
|
||
| import { CoreFipsService } from './fips'; | ||
|
There was a problem hiding this comment. Fixed in 7b7ed01 |
||
| import type { CoreAuthenticationService } from './authc'; | ||
| import type { CoreSecurityDelegateContract } from './api_provider'; | ||
| import type { CoreAuditService } from './audit'; | ||
|
|
@@ -21,6 +22,11 @@ export interface SecurityServiceSetup { | |
| * @remark this should **exclusively** be used by the security plugin. | ||
| */ | ||
| registerSecurityDelegate(api: CoreSecurityDelegateContract): void; | ||
|
|
||
| /** | ||
| * The {{@link CoreFipsService | FIPS service}} | ||
|
There was a problem hiding this comment. NIT: I don't think doubling There was a problem hiding this comment. Fixed in 7b7ed01 |
||
| */ | ||
| fips: CoreFipsService; | ||
| } | ||
|
|
||
| /** | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
| * in compliance with, at your election, the Elastic License 2.0 or the Server | ||
| * Side Public License, v 1. | ||
| */ | ||
|
|
||
| /** | ||
| * Core's FIPS service | ||
| * | ||
| * @public | ||
| */ | ||
| export interface CoreFipsService { | ||
| /** | ||
| * Check if Kibana is configured to run in FIPS mode | ||
| */ | ||
| isEnabled(): boolean; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -388,6 +388,7 @@ kibana_vars=( | |
| xpack.security.authc.selector.enabled | ||
| xpack.security.cookieName | ||
| xpack.security.encryptionKey | ||
| xpack.security.experimental.fipsMode.enabled | ||
|
There was a problem hiding this comment. NIT: Thinking out loud there, but are we sure we want that under that experimental prefix instead of just flagging it as experimental in the documentation? experimental config prefixes means once the feature leaves its experimental state, the config property name changes too, meaning another config deprecation to move it, and overall more work and maintenance. So yeah, wouldn't documenting the flag as experimental be enough? There was a problem hiding this comment. I'm torn; I want to really make clear that this config option should not be used at the moment, but I do see what you mean more work/rework. @legrego @azasypkin What do you think? There was a problem hiding this comment. I'm quite torn as well. We really do not want this to be exposed/configured yet, and documenting it goes against that goal. There was a problem hiding this comment. Yeah, I think I'm in the "experimental-in-config-entry-name" camp mostly due to these reasons:
There was a problem hiding this comment. 👍 fair enough, thanks for explaining the reasoning |
||
| xpack.security.loginAssistanceMessage | ||
| xpack.security.loginHelp | ||
| xpack.security.sameSiteCookies | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Heya @georgewallace ! Would you or someone on you team be able to take a look at this documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Heya @elastic/kibana-docs Would someone mind taking a look?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To make this page appear in the output, you'll need to add
include::fips-140-2.asciidoc[]at the end of thedocs/user/security/index.asciidocfile (or in some other navigation file, depending on where it ought to appear in the navigation tree).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added the page to the navigation in c37004a. I think it could honestly go in either of these sections: https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html or https://www.elastic.co/guide/en/kibana/current/xpack-security.html. I've added it to the latter for now but can easily move if the former makes more sense for this content.