Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-809

Deliver FIPS ready scanner for OCP payload

    XMLWordPrintable

Details

    • Feature
    • Resolution: Won't Do
    • Undefined
    • None
    • None
    • Security & Compliance
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-853Address remaining items required for OCP & layered products FIPS compliance
    • 66
    • 66% 66%
    • 0
    • 0
    • Program Call

    Description

      Feature Overview (aka. Goal Summary)  

      An elevator pitch (value statement) that describes the Feature in a clear, concise way.  Complete during New status.

      Red Hat recently addressed an issue with FIPS-readiness of core go OpenShift binaries. As part of that work, engineering developed a scanner to validate FIPS-readiness for these binaries and plans to make this scanner easily available to all OpenShift customers. https://access.redhat.com/security/cve/cve-2023-3089 

      Goals (aka. expected user outcomes)

      The observable functionality that the user now has as a result of receiving this feature. Complete during New status.

      OpenShift customers can deploy the FIPS-readiness scanner to their clusters, easily use it to verify the status (FIPS ready or not) of go binaries delivered by Red Hat and easily provide those results to their auditor. 

      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      Scan RH binaries that RH claims are FIPS compliant to verify FIPS readiness.

      Include this check as part of the Compliance Operator profile for scanning for FISMA moderate and FISMA high compliance. 

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      Determine the best way to productize the scanner. Options include delivering as part of the optional Compliance Operator. 

      Determine whether there is a way to warn if a patch that is about to be applied will violate FIPS compliance for a binary that is currently FIPS compliant. For example, deploying an update that includes an OpenSSL version that is not yet FIPS validated would change the compliance status. For this to be useful, we would need to check the binary prior to its being deployed. This use case may be better served via ACS which already integrates with container registries. 

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      Checks that can only be run in the Red Hat build/CI and not on the final binary. 

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

      Addressing this issue took significant engineering effort. We want to increase customer's trust in our deliverables in future by enabling them to validate the status for themselves. 

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      FIPS is required for most US Government customers and for many commercial customers who sell to the US Government. Customers need a way to demonstrate compliance to their auditors. 

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  Initial completion during Refinement status.

      Documentation on deployment, running the scanner, and understanding results is required. 

      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

      The ACS team has expressed interest in making this functionality available to customers to validate their custom workloads. This would be a differentiator for ACS. Integrating the scanner with the Compliance Operator would simplify the ability for ACS to leverage this work for custom workloads. 

      Attachments

        Issue Links

          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. USHIFT-1625 extend FIPS validation tool to work on unpackaged binaries

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              jjung@redhat.com Jean-Philippe Jung
              knewcome@redhat.com Kirsten Newcomer
              Matthew Werner Matthew Werner
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: