Details

    • Type: Epic
    • Status: Closed
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: PUP 5.4.0
    • Component/s: None
    • Labels:
      None
    • Epic Name:
      FIPS-Enabled Puppet
    • Template:
    • Acceptance Criteria:
      Hide

      Customers are able to pass an audit of their FIPS 140-2 compliance.

      Show
      Customers are able to pass an audit of their FIPS 140-2 compliance.
    • Team/s:
      Platform Core
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
      Show
      We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
    • QA Risk Assessment:
      Needs Assessment

      Description

      The problem is that customers using our Puppet and Puppet Enterprise packages cannot meet the FIPS 140-2 requirements because we roll our own OpenSSL and do not link against the OpenSSL provided with RHEL. This causes them to fail "FISMA High" compliance standards.

      This epic is the place to gather the stream of work required to remediate this issue, although some implications (such as for puppet-server) will require tickets outside the PUP jira project.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  eric.sorenson Eric Sorenson
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  13 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: