Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


"FIPS" stands for Federal Information Processing Standards. It is a set of standards issued by the National Institute of Technology (NIST) in the United States to ensure the security and interoperability of information technology systems. Federal agencies and contractors use these standards to ensure their information systems are secure and meet certain/specific requirements for handling sensitive information/data.

This article explains enabling FIPS mode in Ubuntu-based systems working with Checkmk.
Info
Warning

Proceed with caution, as Checkmk does not currently support FIPS configurations.

This article is a workaround only!

Status
colourGreen
titleLAST TESTED ON CHECKMK 2.2.0P1


Panel
borderColorblack
bgColor#f8f8f8
titleTable of Contents

Table of Contents


Step-by-step guide


Info

FIPS mode is only available via an Ubuntu Pro subscription. A $25/yr/Desktop type subscription was used for this demonstration.

More information on attaching an Ubuntu Pro subscription can be found here:
https://ubuntu.com/server/docs/install/subscription


    The following image displays what should be enabled and where to locate your subscription token.
    Image Removed
    .
  1. Next, you will need to install Ubuntu Advantage on the system.

    Code Block
    languagebash
    themeRDark
    [user@ubuntuhost ~]$ sudo apt install ubuntu-advantage-tools

    .
    .

  2. After you have the token, you You can use the following command instructions to activate enable FIPS via on Ubuntu Advantage.

    Code Block
    languagebash
    themeRDark
    [user@ubuntuhost ~]$ sudo ua attach <your_pro_token>
    Code Block
    languagebash
    themeRDark
    [user@ubuntuhost ~]$ sudo va attach C1MFo2BfFVQek921GHB11aC35VKWA [sudo] password for cmkadmin: Enabling default service esm-infra Updating package lists Ubuntu Pro: ESM Infra enabled Enabling default service fips-updates Updating package lists Installing FIPS Updates packages FIPS Updates enabled A reboot is required to complete install. Enabling default service livepatch Installing canonical-livepatch snap Canonical livepatch enabled. This machine is now attached to 'Ubuntu Pro Desktop' SERVICE ENTITLED STATUS STATUS DESCRIPTION esm-infra yes enabled Expanded Security Maintenance for Infrastructure fips-updates yes enabled NIST-certified core packages with prlorlty security updates livepatch yes enabled Canonical Livepatch service usg yes disabled Security compliance and audit tools NOTICES Operation in progress: pro attach FIPS support reguires system reboot to complete conflguration. Enable services with: pro enable <service> Account; Subscription: Ubuntu Pro Desktop Valid until: Fri Jan 13 13:34:55 2023 UTC Technical support level: essential   [user@ubuntuhost ~]$

    systems:
    https://ubuntu.com/security/certifications/docs/fips-enablement

    Note

    Please note that the above process is not supported by Checkmk. If there is a problem enabling FIPS on Ubuntu, you will need to reach out to Ubuntu support.


    .

  3. Now reboot the system. Here you can see that FIPS mode has been activated.

    Screenshot of ubuntu booting in fips modeImage Modified

    You should reboot to this prompt.

    Code Block
    languagebash
    themeRDark
    Checking kernel image: /boot/vmlinuz-5.4.0-1007-fips
    FIPS check done
    done.
    
    Welcome to Ubuntu 20.04.05 LTS!

    .

  4. Now you can register this host with the Checkmk Agent for monitoring.


    Code Block
    languagebash
    themeRDark
    [user@ubuntuhost ~]$ sudo cmk-agent-ctl register --site mysite --hostname ubuntuhost --server 192.168.0.15
    user cmkadnin
    Attempting to register at 192.168.0.15:8000/mysite. Server certificate details:
    
    PEM-encoded certificate:
    -----BEGIN CERTIFICATE-
    MIICBTCCAdNgAWIBAGIUaCklbywn@E@BULRn?kqEHqlVEeEWDQYJKOZIhVCNAQEL
    BQAWJTEJNCEGALUEAwwaU2l0ZSAnb₩9uaXRvcmlUZycgbG9jYWwgQOEWIBCNMjIx
    MDEOMDMWNDA4WhgPMZAYNTAYNTQWMZAOMDhaMBUXEZARB9NVBAMMCm1vbml0b3Jp
    brcwggELMAOGCSqGSIb3DQEBAQUAA4IBDWAWg9 EKAOIBAQCtbbso58PYU42KSDNW
    FZAjJKg5qiqcAYrduend2gSp]GuUWptNxJyixlBxpőkCi1tB5GQqlJaKVFNDWXn/
    fQ4NTbp5EUHoWkKZxPwbVTcF5VSHelaanOywLSDGEG9SXAI9CeuvvsSGbxeRMUEW
    OgAefi057749f2+L6ejsSn7ARnNxKO+LLBMGMpPd+IZ3VW7gNEYQQ/j+UYQZO2I
    340k+4Zn5D12UtwOP/R7q9DEAJd6k@USonur9KőukTK+c7st92zjskcqrtUWLW9W
    7BOdsSbXEBSC1hY9LFZMAWÞYKDocArVxT4mP2UEnq/MtqhCoW+GqRJK/nkFytAbf
    HpWdAgMBAAGj JZALMBUGA1UdEQQOMAyCCm1vbml0b3JpbmcWDAYDVROTAQH/BAIW
    ADANBgkqhkiG9WOBAQSFAAOCAQEAdkn/3+QArR+5LOvy28MIUG1IefDWX/KBZ7q/
    3rF1AKovaanGfu9UQZTH2jUhZiU@c4E1oqsVs4MVofgbf7jNr/Ae6okPPOa3YS4T
    NWX85nĐe2qBXdQPy6VPROSDU3P79MYHIH35vdb0+nvHQQ08s/I2MEr+KjUSOe6VC
    3/5kvNuYsItspi3Gr41TiRzwFEelASv9nxnc3X8Lh+2uB1Y2fyG9y0/eleklg9+i
    n₩lwBbky4dBb¥1p+9yuioyu/+vGIFotaqxoJ6GkEyk3P8Vyi/jcdItKsFUtFanqy
    XCxxuPpc9/SivPr9kvWjfQTAJKga012OLbMMUZNuyGuQhogj8g==
    -END CERTIFICATE--
    
    Issued by:
    	Site "mysite' local CA
    Issued to:
    	mysite
    Validity:
    	From Fri, 14 Oct 2022 03:04:08 +0000
    	To   Wed, 14 Feb 3021 03:04:08 +0000
    
    Do you want to establish this connectton? [Y/n]
    >Y
    
    Please enter password for 'cmkadmin'
    > 
    [user@ubuntuhost ~]$

    Successful registration after FIPS mode enabled


    Monitored host with FIPS enabled

    Screenshot of ubuntu host with fips mode enabled and Check_mk service status at OKImage Modified


Filter by label (Content by label)
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "kb-how-to-article" , "howto" ) and type = "page" and space = "KB"
labelskb-how-to-article

...