From 1f3914c1d54c69a47245e3574b2073d74b90e59b Mon Sep 17 00:00:00 2001 From: Nathan Baker Date: Mon, 6 Oct 2025 17:49:49 +0200 Subject: [PATCH 1/3] [AGENTRUN-730] Fix URLs to unbreak FIPS certification pointer The page uses indexed URL references, but was overwriting the meaning of each index. Changed each URL reference to be a unique index, and put the index reference at the end of the file, as specified in the contribution guidelines. --- .../en/agent/configuration/fips-compliance.md | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index 5337a7bd4de60..1c18588a09bfd 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -28,7 +28,6 @@ The FIPS Agent also includes [limited support for integrations][3] that need to ## Supported platforms and limitations - Supported platforms: ||| @@ -49,9 +48,7 @@ Supported products (Agent 7.65.0 and above): The Datadog FIPS Agent does **not** support the following: - Communication between Cluster Agent and Node Agents - Outbound communication to anything other than GovCloud -- Datadog [DDOT Collector][1] - -[1]: /opentelemetry/setup/ddot_collector +- Datadog [DDOT Collector][5] ## Compliance guidelines
@@ -68,10 +65,9 @@ The following baseline controls apply to each platform. Your system may require {{% tab "Windows" %}} - A non-containerized Windows host. -- Windows must be in [FIPS-compliant mode][1]. +- Windows must be in [FIPS-compliant mode][6]. - FIPS-compliant storage backing the host file system. -[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation {{% /tab %}} {{% tab "AWS Lambda" %}} @@ -109,7 +105,7 @@ In addition to the Operating System (OS) requirements above: ```sh DD_SITE="ddog-gov.com" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" ``` - 1. If you're installing with a package, [follow the instructions][1] to install the latest `datadog-fips-agent` package available for your platform. + 1. If you're installing with a package, [follow the instructions][7] to install the latest `datadog-fips-agent` package available for your platform. 1. Add `GOFIPS=1` to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (`datadog-agent.service`). For example, if your host is using systemd: ```sh @@ -121,12 +117,11 @@ In addition to the Operating System (OS) requirements above: {{< img src="/agent/fips-linux.png" alt="Agent status command output with FIPS Mode enabled - Linux" style="width:100%;" >}} -[1]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ {{% /tab %}} {{% tab "Windows" %}} -1. Follow the [Windows instructions][1] to uninstall any existing Datadog Agent on the machine. +1. Follow the [Windows instructions][8] to uninstall any existing Datadog Agent on the machine. 1. Run the command below to install the FIPS Agent, replacing `DATADOG_API_KEY` with your API key: **Note:** FIPS support is only available on Agent versions 7.65.0 and above: @@ -149,8 +144,6 @@ if ($p.ExitCode -ne 0) { **Note**: The program name for the FIPS Agent in **Add or Remove Programs** is "Datadog FIPS Agent." -[1]: /agent/basic_agent_usage/windows/#uninstall-the-agent - {{% /tab %}} {{% tab "AWS Lambda" %}} @@ -203,8 +196,11 @@ You, the Datadog customer, are responsible for **host** security and hardening. ## Further reading {{< partial name="whats-next/whats-next.html" >}} - [1]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 [2]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf [3]: /integrations/guide/fips-integrations [4]: /integrations/guide/jmxfetch-fips +[5]: /opentelemetry/setup/ddot_collector +[6]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation +[7]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ +[8]: /agent/basic_agent_usage/windows/#uninstall-the-agent \ No newline at end of file From 1569c28687d74c94df19c8b660dcd36236813fdb Mon Sep 17 00:00:00 2001 From: Nathan Baker Date: Tue, 7 Oct 2025 08:12:11 +0200 Subject: [PATCH 2/3] Fix url references for tabs --- content/en/agent/configuration/fips-compliance.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index 1c18588a09bfd..29e6c72061df9 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -50,6 +50,7 @@ The Datadog FIPS Agent does **not** support the following: - Outbound communication to anything other than GovCloud - Datadog [DDOT Collector][5] + ## Compliance guidelines
This is not an exhaustive list. These requirements are a baseline only. You are responsible for evaluating your environment and implementing any additional controls needed to achieve full FIPS compliance. @@ -68,6 +69,7 @@ The following baseline controls apply to each platform. Your system may require - Windows must be in [FIPS-compliant mode][6]. - FIPS-compliant storage backing the host file system. +[6]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation {{% /tab %}} {{% tab "AWS Lambda" %}} @@ -117,6 +119,7 @@ In addition to the Operating System (OS) requirements above: {{< img src="/agent/fips-linux.png" alt="Agent status command output with FIPS Mode enabled - Linux" style="width:100%;" >}} +[7]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ {{% /tab %}} {{% tab "Windows" %}} @@ -144,6 +147,8 @@ if ($p.ExitCode -ne 0) { **Note**: The program name for the FIPS Agent in **Add or Remove Programs** is "Datadog FIPS Agent." +[8]: /agent/basic_agent_usage/windows/#uninstall-the-agent + {{% /tab %}} {{% tab "AWS Lambda" %}} @@ -201,6 +206,3 @@ You, the Datadog customer, are responsible for **host** security and hardening. [3]: /integrations/guide/fips-integrations [4]: /integrations/guide/jmxfetch-fips [5]: /opentelemetry/setup/ddot_collector -[6]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation -[7]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ -[8]: /agent/basic_agent_usage/windows/#uninstall-the-agent \ No newline at end of file From 98613b499bc8ae1d719ab9354426375a0725cdf0 Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Tue, 7 Oct 2025 09:14:11 -0700 Subject: [PATCH 3/3] fix links --- .../en/agent/configuration/fips-compliance.md | 35 ++++++++++--------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index 29e6c72061df9..0dc52c40e16c7 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -30,7 +30,7 @@ The FIPS Agent also includes [limited support for integrations][3] that need to Supported platforms: -||| +| | | | --- | ----------- | | Bare metal and VMs | RHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12
Windows Server >= 2016
Windows >= 10| | Cloud and container| Amazon ECS
AWS EKS (Helm)
Docker| @@ -48,13 +48,12 @@ Supported products (Agent 7.65.0 and above): The Datadog FIPS Agent does **not** support the following: - Communication between Cluster Agent and Node Agents - Outbound communication to anything other than GovCloud -- Datadog [DDOT Collector][5] +- Datadog [DDOT Collector][4] ## Compliance guidelines -
-This is not an exhaustive list. These requirements are a baseline only. You are responsible for evaluating your environment and implementing any additional controls needed to achieve full FIPS compliance. -
+
This is not an exhaustive list. These requirements are a baseline only. You are responsible for evaluating your environment and implementing any additional controls needed to achieve full FIPS compliance.
+ The following baseline controls apply to each platform. Your system may require additional controls: {{< tabs >}} @@ -66,10 +65,10 @@ The following baseline controls apply to each platform. Your system may require {{% tab "Windows" %}} - A non-containerized Windows host. -- Windows must be in [FIPS-compliant mode][6]. +- Windows must be in [FIPS-compliant mode][1]. - FIPS-compliant storage backing the host file system. -[6]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation +[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation {{% /tab %}} {{% tab "AWS Lambda" %}} @@ -107,7 +106,7 @@ In addition to the Operating System (OS) requirements above: ```sh DD_SITE="ddog-gov.com" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" ``` - 1. If you're installing with a package, [follow the instructions][7] to install the latest `datadog-fips-agent` package available for your platform. + 1. If you're installing with a package, [follow the instructions][1] to install the latest `datadog-fips-agent` package available for your platform. 1. Add `GOFIPS=1` to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (`datadog-agent.service`). For example, if your host is using systemd: ```sh @@ -119,12 +118,12 @@ In addition to the Operating System (OS) requirements above: {{< img src="/agent/fips-linux.png" alt="Agent status command output with FIPS Mode enabled - Linux" style="width:100%;" >}} -[7]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ +[1]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ {{% /tab %}} {{% tab "Windows" %}} -1. Follow the [Windows instructions][8] to uninstall any existing Datadog Agent on the machine. +1. Follow the [Windows instructions][1] to uninstall any existing Datadog Agent on the machine. 1. Run the command below to install the FIPS Agent, replacing `DATADOG_API_KEY` with your API key: **Note:** FIPS support is only available on Agent versions 7.65.0 and above: @@ -147,27 +146,30 @@ if ($p.ExitCode -ne 0) { **Note**: The program name for the FIPS Agent in **Add or Remove Programs** is "Datadog FIPS Agent." -[8]: /agent/basic_agent_usage/windows/#uninstall-the-agent +[1]: /agent/basic_agent_usage/windows/#uninstall-the-agent {{% /tab %}} {{% tab "AWS Lambda" %}} -For AWS Lambda FIPS compliance, follow the instructions in the [AWS Lambda FIPS Compliance](/serverless/aws_lambda/fips-compliance/) documentation. +For AWS Lambda FIPS compliance, follow the instructions in the [AWS Lambda FIPS Compliance][1] documentation. + +[1]: /serverless/aws_lambda/fips-compliance/ {{% /tab %}} {{% tab "AWS ECS" %}} -When following the [ECS installation instructions](/containers/amazon_ecs/), make sure to use these FIPS-specific configuration values for your Task Definition: +When following the [ECS installation instructions][1], make sure to use these FIPS-specific configuration values for your Task Definition: - Set `image` in the `containerDefinitions` object to `public.ecr.aws/datadog/agent:7-fips` - Set `DD_SITE` environment variable to `ddog-gov.com` +[1]: /containers/amazon_ecs/ {{% /tab %}} {{% tab "AWS EKS" %}} -When following the [Datadog Agent installation on Kubernetes](/containers/kubernetes/installation/) instructions, make sure to include these FIPS-specific configuration values in the `datadog-agent.yaml` file depending on your chosen installation method: +When following the [Datadog Agent installation on Kubernetes][1] instructions, make sure to include these FIPS-specific configuration values in the `datadog-agent.yaml` file depending on your chosen installation method: For the Datadog Operator: ```yaml @@ -184,6 +186,7 @@ datadog: useFIPSAgent: true ``` +[1]: /containers/kubernetes/installation/ {{% /tab %}} {{< /tabs >}} @@ -201,8 +204,8 @@ You, the Datadog customer, are responsible for **host** security and hardening. ## Further reading {{< partial name="whats-next/whats-next.html" >}} + [1]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 [2]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf [3]: /integrations/guide/fips-integrations -[4]: /integrations/guide/jmxfetch-fips -[5]: /opentelemetry/setup/ddot_collector +[4]: /opentelemetry/setup/ddot_collector