Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Next »

This article explains how to enable FIPS mode in Ubuntu-based systems working with Checkmk.

(FIPS)is the Federal Information Processing Standards. It is a set of standards issued by the National Institute of Technology (NIST) in the United States to ensure the security and interoperability of information technology systems. Federal agencies and contractors use these standards to ensure their information systems are secure and meet certain/specific requirements for handling sensitive information/data.

LAST TESTED ON CHECKMK 2.2.0P1

Table of Contents


Proceed with caution, as Checkmk does not currently support FIPS configurations.

Step-by-step guide


FIPS mode is only available via an Ubuntu Pro subscription. A $25/yr/Desktop type subscription was used for this demonstration.

More information on attaching an Ubuntu Pro subscription can be found here:
https://ubuntu.com/server/docs/install/subscription


  1. The following image displays what should be enabled and where to locate your subscription token.

    Screenshot of Ubuntu pro desktop subscription token location

    .
  2. Next, you will need to install Ubuntu Advantage on the system.

    [user@ubuntuhost ~]$ sudo apt install ubuntu-advantage-tools

    .
    .

  3. After you have the token, you can use the following command to activate FIPS via Ubuntu Advantage.

    [user@ubuntuhost ~]$ sudo ua attach <your_pro_token>
    [user@ubuntuhost ~]$ sudo va attach C1MFo2BfFVQek921GHB11aC35VKWA
    [sudo] password for cmkadmin:
    
    	Enabling default service esm-infra
    	Updating package lists
    	Ubuntu Pro: ESM Infra enabled
    	Enabling default service fips-updates
    	Updating package lists
    	Installing FIPS Updates packages
    	FIPS Updates enabled
    	A reboot is required to complete install.
    	Enabling default service livepatch
    	Installing canonical-livepatch snap
    	Canonical livepatch enabled.
    	This machine is now attached to 'Ubuntu Pro Desktop'
    
    
    SERVICE 		ENTITLED STATUS 		STATUS 		DESCRIPTION
    esm-infra 		yes 					enabled 	Expanded Security Maintenance for Infrastructure
    fips-updates 	yes						enabled 	NIST-certified core packages with prlorlty security updates
    livepatch 		yes						enabled		Canonical Livepatch service
    usg				yes						disabled	Security compliance and audit tools
    
    NOTICES
    Operation in progress: pro attach
    FIPS support reguires system reboot to complete conflguration.
    
    Enable services with: pro enable <service>
    
    	Account;
    	Subscription: Ubuntu Pro Desktop
    	Valid until: Fri Jan 13 13:34:55 2023 UTC
    	Technical support level: essential  
    
    [user@ubuntuhost ~]$

    .

  4. Now reboot the system. Here you can see that FIPS mode has been activated.

    Screenshot of ubuntu booting in fips mode

    You should reboot to this prompt.

    Checking kernel image: /boot/vmlinuz-5.4.0-1007-fips
    FIPS check done
    done.
    
    Welcome to Ubuntu 20.04.05 LTS!

    .

  5. Now you can register this host with the Checkmk Agent for monitoring.

    [user@ubuntuhost ~]$ sudo cmk-agent-ctl register --site mysite --hostname ubuntuhost --server 192.168.0.15
    user cmkadnin
    Attempting to register at 192.168.0.15:8000/mysite. Server certificate details:
    
    PEM-encoded certificate:
    -----BEGIN CERTIFICATE-
    MIICBTCCAdNgAWIBAGIUaCklbywn@E@BULRn?kqEHqlVEeEWDQYJKOZIhVCNAQEL
    BQAWJTEJNCEGALUEAwwaU2l0ZSAnb₩9uaXRvcmlUZycgbG9jYWwgQOEWIBCNMjIx
    MDEOMDMWNDA4WhgPMZAYNTAYNTQWMZAOMDhaMBUXEZARB9NVBAMMCm1vbml0b3Jp
    brcwggELMAOGCSqGSIb3DQEBAQUAA4IBDWAWg9 EKAOIBAQCtbbso58PYU42KSDNW
    FZAjJKg5qiqcAYrduend2gSp]GuUWptNxJyixlBxpőkCi1tB5GQqlJaKVFNDWXn/
    fQ4NTbp5EUHoWkKZxPwbVTcF5VSHelaanOywLSDGEG9SXAI9CeuvvsSGbxeRMUEW
    OgAefi057749f2+L6ejsSn7ARnNxKO+LLBMGMpPd+IZ3VW7gNEYQQ/j+UYQZO2I
    340k+4Zn5D12UtwOP/R7q9DEAJd6k@USonur9KőukTK+c7st92zjskcqrtUWLW9W
    7BOdsSbXEBSC1hY9LFZMAWÞYKDocArVxT4mP2UEnq/MtqhCoW+GqRJK/nkFytAbf
    HpWdAgMBAAGj JZALMBUGA1UdEQQOMAyCCm1vbml0b3JpbmcWDAYDVROTAQH/BAIW
    ADANBgkqhkiG9WOBAQSFAAOCAQEAdkn/3+QArR+5LOvy28MIUG1IefDWX/KBZ7q/
    3rF1AKovaanGfu9UQZTH2jUhZiU@c4E1oqsVs4MVofgbf7jNr/Ae6okPPOa3YS4T
    NWX85nĐe2qBXdQPy6VPROSDU3P79MYHIH35vdb0+nvHQQ08s/I2MEr+KjUSOe6VC
    3/5kvNuYsItspi3Gr41TiRzwFEelASv9nxnc3X8Lh+2uB1Y2fyG9y0/eleklg9+i
    n₩lwBbky4dBb¥1p+9yuioyu/+vGIFotaqxoJ6GkEyk3P8Vyi/jcdItKsFUtFanqy
    XCxxuPpc9/SivPr9kvWjfQTAJKga012OLbMMUZNuyGuQhogj8g==
    -END CERTIFICATE--
    
    Issued by:
    	Site "mysite' local CA
    Issued to:
    	mysite
    Validity:
    	From Fri, 14 Oct 2022 03:04:08 +0000
    	To   Wed, 14 Feb 3021 03:04:08 +0000
    
    Do you want to establish this connectton? [Y/n]
    >Y
    
    Please enter password for 'cmkadmin'
    > 
    [user@ubuntuhost ~]$

    Successful registration after FIPS mode enabled


    Monitored host with FIPS enabled

    Screenshot of ubuntu host with fips mode enabled and Check_mk service status at OK


  • No labels