Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7510

FIPS-Enabled Puppet

    XMLWordPrintable

Details

    • Epic
    • Status: Closed
    • Normal
    • Resolution: Done
    • None
    • PUP 5.4.0
    • None
    • None
    • FIPS-Enabled Puppet
    • Hide

      Customers are able to pass an audit of their FIPS 140-2 compliance.

      Show
      Customers are able to pass an audit of their FIPS 140-2 compliance.
    • Platform Core
    • New Feature
    • Hide
      We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
      Show
      We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
    • Needs Assessment

    Description

      The problem is that customers using our Puppet and Puppet Enterprise packages cannot meet the FIPS 140-2 requirements because we roll our own OpenSSL and do not link against the OpenSSL provided with RHEL. This causes them to fail "FISMA High" compliance standards.

      This epic is the place to gather the stream of work required to remediate this issue, although some implications (such as for puppet-server) will require tickets outside the PUP jira project.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              eric.sorenson Eric Sorenson
              Votes:
              3 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support