Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7510

FIPS-Enabled Puppet

    XMLWordPrintable

    Details

    • Type: Epic
    • Status: Closed
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: PUP 5.4.0
    • Component/s: None
    • Labels:
      None
    • Epic Name:
      FIPS-Enabled Puppet
    • Template:
    • Acceptance Criteria:
      Hide

      Customers are able to pass an audit of their FIPS 140-2 compliance.

      Show
      Customers are able to pass an audit of their FIPS 140-2 compliance.
    • Team/s:
      Platform Core
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
      Show
      We are adding a new puppet-agent package intended to be deployed on FIPS enabled hosts. The new package is linked against system OpenSSL instead of the vendored version in the puppet-agent package. On FIPS enabled hosts, puppet will not use MD5 for file checksums or digital signature algorithms, and will gracefully error if configured to use MD5, e.g. Puppet[:digest_algorithm] = 'md5'. This only affect the puppet-agent package. Future releases will provide FIPS compliance for puppetserver and CA.
    • QA Risk Assessment:
      Needs Assessment

      Description

      The problem is that customers using our Puppet and Puppet Enterprise packages cannot meet the FIPS 140-2 requirements because we roll our own OpenSSL and do not link against the OpenSSL provided with RHEL. This causes them to fail "FISMA High" compliance standards.

      This epic is the place to gather the stream of work required to remediate this issue, although some implications (such as for puppet-server) will require tickets outside the PUP jira project.

        Attachments

          Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. PA-1642 Add EL 7 (FIPS) x86_64 as a supported agent platform

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. SERVER-2524 FIPS-Enabled Puppet Server Side

          • Critical - Crashes, loss of data, severe memory leak.
          • Open
          mentioned in

          Page Loading...

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              eric.sorenson Eric Sorenson
              Votes:
              3 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support