Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add support for FIPS 140-3 compliance check #27

Merged
merged 1 commit into from
Jun 7, 2024
Merged

feat: Add support for FIPS 140-3 compliance check #27

merged 1 commit into from
Jun 7, 2024

Conversation

anurag-rajawat
Copy link
Contributor

Related to #26

nyrahul
nyrahul requested changes May 20, 2024
View reviewed changes
src/tlsscan Outdated Show resolved Hide resolved
@anurag-rajawat anurag-rajawat marked this pull request as draft May 27, 2024 11:55
@anurag-rajawat
Copy link
Contributor Author

Sample outputs:

  • CSV summary
Name               ,Address                                       ,Status       ,Version   ,Ciphersuite                     ,Hash     ,Signature ,Verification                                   ,FIPS_140_3_Compliant
"Google"           ,"google.com:443"                              ,"TLS"        ,"TLSv1.3" ,"TLS_AES_256_GCM_SHA384"        ,"SHA256" ,"ECDSA"   ,"OK"                                           ,"Yes"
"Accuknox"         ,"accuknox.com:443"                            ,"TLS"        ,"TLSv1.3" ,"TLS_AES_256_GCM_SHA384"        ,"SHA256" ,"ECDSA"   ,"OK"                                           ,"Yes"
"BadSSL"           ,"expired.badssl.com:443"                      ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"certificate has expired"                      ,"No"
"BadSSL"           ,"wrong.host.badssl.com:443"                   ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"OK"                                           ,"No"
"BadSSL"           ,"self-signed.badssl.com:443"                  ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"self-signed certificate"                      ,"No"
"BadSSL"           ,"untrusted-root.badssl.com:443"               ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"self-signed certificate in certificate chain" ,"No"
"BadSSL"           ,"revoked.badssl.com:443"                      ,"TLS"        ,"TLSv1.2" ,"ECDHE-ECDSA-AES128-GCM-SHA256" ,"SHA512" ,"ECDSA"   ,"OK"                                           ,"No"
"BadSSL"           ,"pinning-test.badssl.com:443"                 ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"OK"                                           ,"No"
"BadSSL"           ,"dh480.badssl.com:443"                        ,"PLAIN_TEXT" ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"LocalTest"        ,"isunknownaddress.com:12345"                  ,"CONNFAIL"   ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"webserver"        ,"localhost:9090"                              ,"CONNFAIL"   ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"localssh"         ,"localhost:22"                                ,"PLAIN_TEXT" ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"AmazonAPIGateway" ,"apigateway-fips.us-east-1.amazonaws.com:443" ,"TLS"        ,"TLSv1.3" ,"TLS_AES_128_GCM_SHA256"        ,"SHA256" ,"RSA-PSS" ,"OK"                                           ,"Yes"
"AmazonDynamoDB"   ,"dynamodb-fips.ca-west-1.amazonaws.com:443"   ,"TLS"        ,"TLSv1.3" ,"TLS_AES_256_GCM_SHA384"        ,"SHA256" ,"RSA-PSS" ,"OK"                                           ,"Yes"
  • JSON report (only with fips-check)
{
	"app": {
		"version": "v0.1"
	},
	"endpoints": [
		{
			"svc": "Google",
			"host": "google.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_256_GCM_SHA384",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_256_GCM_SHA384",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		},
		{
			"svc": "Accuknox",
			"host": "accuknox.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_256_GCM_SHA384",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_256_GCM_SHA384",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "expired.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "wrong.host.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "self-signed.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "untrusted-root.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "revoked.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-ECDSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "pinning-test.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "dh480.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.2",
					"cipherSuiteInUse": "",
					"description": "Secure TLS protocol is required to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "Implement secure TLS protocol (TLS >= v1.2)",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "LocalTest",
			"host": "isunknownaddress.com",
			"port": "12345",
			"finding": [
				{
					"plugin": "tls-security",
					"title": "use of TLS security",
					"compliance": "NIST.SP.800-52",
					"control-id": "2.1",
					"description": "It is mandatory for TLS to be enabled for all network communications including east-west traffic.",
					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "enable TLS or transport security on the port.",
					"status": "FAIL"
				}
			]
		},
		{
			"svc": "webserver",
			"host": "localhost",
			"port": "9090",
			"finding": [
				{
					"plugin": "tls-security",
					"title": "use of TLS security",
					"compliance": "NIST.SP.800-52",
					"control-id": "2.1",
					"description": "It is mandatory for TLS to be enabled for all network communications including east-west traffic.",
					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "enable TLS or transport security on the port.",
					"status": "FAIL"
				}
			]
		},
		{
			"svc": "localssh",
			"host": "localhost",
			"port": "22",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.2",
					"cipherSuiteInUse": "",
					"description": "Secure TLS protocol is required to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "Implement secure TLS protocol (TLS >= v1.2)",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "AmazonAPIGateway",
			"host": "apigateway-fips.us-east-1.amazonaws.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_128_GCM_SHA256",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_128_GCM_SHA256",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		},
		{
			"svc": "AmazonDynamoDB",
			"host": "dynamodb-fips.ca-west-1.amazonaws.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_256_GCM_SHA384",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_256_GCM_SHA384",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		}
	]
}

Complete report.json

@anurag-rajawat
Copy link
Contributor Author

Does the sample report look good to you? Once confirmed, I'll update the documentation.

@anurag-rajawat anurag-rajawat requested a review from nyrahul June 3, 2024 14:32
@anurag-rajawat anurag-rajawat marked this pull request as ready for review June 4, 2024 02:08
@nandhued nandhued mentioned this pull request Jun 4, 2024
Closed
@nyrahul nyrahul merged commit 7b6a24d into kubearmor:main Jun 7, 2024
1 of 2 checks passed
@anurag-rajawat anurag-rajawat deleted the feat-fips branch June 7, 2024 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyrahul nyrahul Awaiting requested review from nyrahul

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anurag-rajawat @nyrahul