stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
c58a236d70742082c8dda5a967972d08424732f2
git.stella-ops.org/docs/doctor/articles/crypto/fips.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

4.7 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.crypto.fips stellaops.doctor.crypto fail
crypto
fips
compliance
security

FIPS 140-2 Compliance

What It Checks

Verifies that FIPS 140-2 mode is enabled and that FIPS-compliant algorithms are functional. The check performs two phases:

Phase 1 - FIPS mode detection:

  • On Linux: reads /proc/sys/crypto/fips_enabled (expects "1").
  • On Windows: checks the registry at HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled and the DOTNET_SYSTEM_NET_SECURITY_USEFIPSVALIDATED environment variable.
  • Reports the platform, crypto provider (OpenSSL/bcrypt/CoreCrypto), and whether the OpenSSL FIPS module is loaded.

Phase 2 - Algorithm verification (actual crypto operations, not just configuration):

  • AES-256: creates key, encrypts test data, verifies output.
  • SHA-256: hashes test data, verifies 32-byte output.
  • SHA-384: hashes test data, verifies 48-byte output.
  • SHA-512: hashes test data, verifies 64-byte output.
  • RSA-2048: generates key pair, signs and verifies test data.
  • ECDSA-P256: generates key pair, signs and verifies test data.
Condition Result
FIPS mode not enabled at OS level Fail
FIPS mode enabled but some algorithms fail testing Warn
FIPS mode enabled and all algorithms pass Pass

Evidence collected: fips_mode_enabled, platform, crypto_provider, openssl_fips_module_loaded, crypto_profile, algorithms_tested, algorithms_available, algorithms_missing, per-algorithm test results.

The check only runs when Crypto:Profile or Cryptography:Profile contains "fips", "fedramp", or equals "us-gov".

Why It Matters

FIPS 140-2 compliance is mandatory for US government deployments (FedRAMP, DoD, ITAR) and many regulated industries (finance, healthcare). Running without FIPS mode means cryptographic operations may use non-validated implementations, which violates federal security requirements. Even with FIPS mode enabled, individual algorithm failures indicate a broken crypto subsystem that could silently produce invalid signatures or weak encryption.

Common Causes

  • FIPS mode not enabled in the operating system
  • OpenSSL FIPS provider not loaded or not installed
  • .NET runtime not configured for FIPS-validated algorithms
  • FIPS module version incompatible with the OpenSSL version
  • Algorithm test failure due to incomplete FIPS provider installation

How to Fix

Docker Compose

# Check if FIPS mode is enabled in the container
docker compose exec gateway cat /proc/sys/crypto/fips_enabled

# Enable FIPS mode in the host OS first (container inherits host FIPS)
# Then restart the compose stack

# Set crypto profile
# Crypto__Profile=fips

# Verify algorithms inside container
docker compose exec gateway openssl list -providers
docker compose exec gateway openssl list -digest-algorithms

Bare Metal / systemd

Linux (RHEL/CentOS/Fedora):

# Enable FIPS mode
sudo fips-mode-setup --enable

# Verify FIPS status
fips-mode-setup --check

# Reboot required after enabling
sudo reboot

# After reboot, verify
cat /proc/sys/crypto/fips_enabled  # Should output "1"

# Restart StellaOps services
sudo systemctl restart stellaops

Linux (Ubuntu/Debian):

# Install FIPS packages
sudo apt install ubuntu-fips
sudo ua enable fips

# Reboot required
sudo reboot

Windows:

Enable via Local Security Policy:
  Security Settings > Local Policies > Security Options >
  "System cryptography: Use FIPS compliant algorithms" = Enabled

Or via registry (requires reboot):
  reg add HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy /v Enabled /t REG_DWORD /d 1 /f

# Configure StellaOps
# "Crypto": { "Profile": "fips" }

sudo systemctl restart stellaops-platform

Kubernetes / Helm

# values.yaml
crypto:
  profile: fips

# FIPS must be enabled at the node level
# For EKS: use Amazon Linux 2 FIPS AMI
# For AKS: use FIPS-enabled node pools
# For GKE: use Container-Optimized OS with FIPS

# Verify FIPS in pod
kubectl exec deploy/stellaops-gateway -- cat /proc/sys/crypto/fips_enabled

# Check OpenSSL FIPS provider
kubectl exec deploy/stellaops-gateway -- openssl list -providers

helm upgrade stellaops ./charts/stellaops -f values.yaml

Verification

stella doctor run --check check.crypto.fips

Related Checks

  • check.crypto.certchain — certificates must use FIPS-approved algorithms
  • check.crypto.eidas — eIDAS has overlapping but distinct requirements from FIPS
  • check.crypto.hsm — FIPS 140-2 Level 3+ may require HSM for key storage
  • check.compliance.attestation-signing — signing must use FIPS-validated algorithms in FIPS deployments