Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7510

FIPS-Enabled Puppet

          Details

          • Type: Epic
          • Status: Closed
          • Priority: Normal
          • Resolution: Done
          • Affects Version/s: None
          • Fix Version/s: PUP 5.4.0
          • Component/s: None
          • Labels:
            None
          • Epic Name:
            FIPS-Enabled Puppet
          • Template:
          • Acceptance Criteria:
            Hide

            Customers are able to pass an audit of their FIPS 140-2 compliance.

            Show
            Customers are able to pass an audit of their FIPS 140-2 compliance.
          • Team/s:
            Platform Core
          • Release Notes:
            New Feature
          • Release Notes Summary:
            Hide
            We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
            Show
            We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
          • QA Risk Assessment:
            Needs Assessment

            Description

            The problem is that customers using our Puppet and Puppet Enterprise packages cannot meet the FIPS 140-2 requirements because we roll our own OpenSSL and do not link against the OpenSSL provided with RHEL. This causes them to fail "FISMA High" compliance standards.

            This epic is the place to gather the stream of work required to remediate this issue, although some implications (such as for puppet-server) will require tickets outside the PUP jira project.

              Attachments

                Issue Links

                relates to

                Epic - Created by JIRA Software - do not edit or delete. Issue type for a big user story that needs to be broken down. PA-1642 Add EL 7 (FIPS) x86_64 as a supported agent platform

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                Epic - Created by JIRA Software - do not edit or delete. Issue type for a big user story that needs to be broken down. SERVER-2524 FIPS-Enabled Puppet Server Side

                • Critical - Crashes, loss of data, severe memory leak.
                • Developing
                mentioned in

                Page Loading...

                  Activity

                    People

                    • Assignee:
                      Unassigned
                      Reporter:
                      eric.sorenson Eric Sorenson
                    • Votes:
                      3 Vote for this issue
                      Watchers:
                      13 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Zendesk Support