feat: Add support for FIPS 140-3 compliance check #27

anurag-rajawat · 2024-05-20T08:38:31Z

Related to #26

src/tlsscan

Signed-off-by: Anurag Rajawat <anuragsinghrajawat22@gmail.com>

anurag-rajawat · 2024-06-03T14:30:50Z

Sample outputs:

CSV summary

Name               ,Address                                       ,Status       ,Version   ,Ciphersuite                     ,Hash     ,Signature ,Verification                                   ,FIPS_140_3_Compliant
"Google"           ,"google.com:443"                              ,"TLS"        ,"TLSv1.3" ,"TLS_AES_256_GCM_SHA384"        ,"SHA256" ,"ECDSA"   ,"OK"                                           ,"Yes"
"Accuknox"         ,"accuknox.com:443"                            ,"TLS"        ,"TLSv1.3" ,"TLS_AES_256_GCM_SHA384"        ,"SHA256" ,"ECDSA"   ,"OK"                                           ,"Yes"
"BadSSL"           ,"expired.badssl.com:443"                      ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"certificate has expired"                      ,"No"
"BadSSL"           ,"wrong.host.badssl.com:443"                   ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"OK"                                           ,"No"
"BadSSL"           ,"self-signed.badssl.com:443"                  ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"self-signed certificate"                      ,"No"
"BadSSL"           ,"untrusted-root.badssl.com:443"               ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"self-signed certificate in certificate chain" ,"No"
"BadSSL"           ,"revoked.badssl.com:443"                      ,"TLS"        ,"TLSv1.2" ,"ECDHE-ECDSA-AES128-GCM-SHA256" ,"SHA512" ,"ECDSA"   ,"OK"                                           ,"No"
"BadSSL"           ,"pinning-test.badssl.com:443"                 ,"TLS"        ,"TLSv1.2" ,"ECDHE-RSA-AES128-GCM-SHA256"   ,"SHA512" ,"RSA"     ,"OK"                                           ,"No"
"BadSSL"           ,"dh480.badssl.com:443"                        ,"PLAIN_TEXT" ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"LocalTest"        ,"isunknownaddress.com:12345"                  ,"CONNFAIL"   ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"webserver"        ,"localhost:9090"                              ,"CONNFAIL"   ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"localssh"         ,"localhost:22"                                ,"PLAIN_TEXT" ,""        ,""                              ,""       ,""        ,""                                             ,"No"
"AmazonAPIGateway" ,"apigateway-fips.us-east-1.amazonaws.com:443" ,"TLS"        ,"TLSv1.3" ,"TLS_AES_128_GCM_SHA256"        ,"SHA256" ,"RSA-PSS" ,"OK"                                           ,"Yes"
"AmazonDynamoDB"   ,"dynamodb-fips.ca-west-1.amazonaws.com:443"   ,"TLS"        ,"TLSv1.3" ,"TLS_AES_256_GCM_SHA384"        ,"SHA256" ,"RSA-PSS" ,"OK"                                           ,"Yes"

JSON report (only with fips-check)

{
	"app": {
		"version": "v0.1"
	},
	"endpoints": [
		{
			"svc": "Google",
			"host": "google.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_256_GCM_SHA384",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_256_GCM_SHA384",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		},
		{
			"svc": "Accuknox",
			"host": "accuknox.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_256_GCM_SHA384",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_256_GCM_SHA384",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "expired.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "wrong.host.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "self-signed.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "untrusted-root.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "revoked.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-ECDSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "pinning-test.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "ECDHE-RSA-AES128-GCM-SHA256",
					"description": "Approved ciphers to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "use FIPS-approved ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "BadSSL",
			"host": "dh480.badssl.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.2",
					"cipherSuiteInUse": "",
					"description": "Secure TLS protocol is required to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "Implement secure TLS protocol (TLS >= v1.2)",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "LocalTest",
			"host": "isunknownaddress.com",
			"port": "12345",
			"finding": [
				{
					"plugin": "tls-security",
					"title": "use of TLS security",
					"compliance": "NIST.SP.800-52",
					"control-id": "2.1",
					"description": "It is mandatory for TLS to be enabled for all network communications including east-west traffic.",
					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "enable TLS or transport security on the port.",
					"status": "FAIL"
				}
			]
		},
		{
			"svc": "webserver",
			"host": "localhost",
			"port": "9090",
			"finding": [
				{
					"plugin": "tls-security",
					"title": "use of TLS security",
					"compliance": "NIST.SP.800-52",
					"control-id": "2.1",
					"description": "It is mandatory for TLS to be enabled for all network communications including east-west traffic.",
					"link": "https://csrc.nist.gov/news/2019/nist-publishes-sp-800-52-revision-2",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "enable TLS or transport security on the port.",
					"status": "FAIL"
				}
			]
		},
		{
			"svc": "localssh",
			"host": "localhost",
			"port": "22",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.2",
					"cipherSuiteInUse": "",
					"description": "Secure TLS protocol is required to meet the requirements of FIPS-140-3 compliant encryption.",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "critical",
					"remediationEstEffort": "medium",
					"solution": "Implement secure TLS protocol (TLS >= v1.2)",
					"compliant": "No"
				}
			]
		},
		{
			"svc": "AmazonAPIGateway",
			"host": "apigateway-fips.us-east-1.amazonaws.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_128_GCM_SHA256",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_128_GCM_SHA256",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		},
		{
			"svc": "AmazonDynamoDB",
			"host": "dynamodb-fips.ca-west-1.amazonaws.com",
			"port": "443",
			"finding": [
				{
					"plugin": "fips-140-3-compliance-check",
					"title": "FIPS 140-3 compliant encryption check",
					"compliance": "FIPS.140.3",
					"control-id": "3.3",
					"cipherSuiteInUse": "TLS_AES_256_GCM_SHA384",
					"description": "Using Secure TLS protocol and FIPS-approved Ciphers. FIPS-approved ciphersuite in use is TLS_AES_256_GCM_SHA384",
					"link": "https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf",
					"severity": "medium",
					"remediationEstEffort": "medium",
					"solution": "NA",
					"compliant": "Yes"
				}
			]
		}
	]
}

Complete report.json

anurag-rajawat · 2024-06-03T14:32:51Z

Does the sample report look good to you? Once confirmed, I'll update the documentation.

nyrahul requested changes May 20, 2024

View reviewed changes

src/tlsscan Outdated Show resolved Hide resolved

anurag-rajawat marked this pull request as draft May 27, 2024 11:55

feat: Add support for FIPS 140-3 encryption compliance check

632ed8b

Signed-off-by: Anurag Rajawat <anuragsinghrajawat22@gmail.com>

anurag-rajawat force-pushed the feat-fips branch from a9940b6 to 632ed8b Compare June 3, 2024 14:20

anurag-rajawat requested a review from nyrahul June 3, 2024 14:32

anurag-rajawat marked this pull request as ready for review June 4, 2024 02:08

nandhued mentioned this pull request Jun 4, 2024

k8tls Adapter 5GSEC/nimbus#110

Closed

nyrahul merged commit 7b6a24d into kubearmor:main Jun 7, 2024
1 of 2 checks passed

anurag-rajawat deleted the feat-fips branch June 7, 2024 03:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add support for FIPS 140-3 compliance check #27

feat: Add support for FIPS 140-3 compliance check #27

anurag-rajawat commented May 20, 2024

anurag-rajawat commented Jun 3, 2024

anurag-rajawat commented Jun 3, 2024

feat: Add support for FIPS 140-3 compliance check #27

feat: Add support for FIPS 140-3 compliance check #27

Conversation

anurag-rajawat commented May 20, 2024

anurag-rajawat commented Jun 3, 2024

anurag-rajawat commented Jun 3, 2024