From 57334116cce244dc5b19f971fb216bdaebd3eb4f Mon Sep 17 00:00:00 2001
From: lsgunn-teleport <136391445+lsgunn-teleport@users.noreply.github.com>
Date: Tue, 3 Oct 2023 09:26:43 -0700
Subject: [PATCH] [v14] docs: Add how to verify the binaries are FIPS-compliant
#32169 (#32882)
* Add how to verify the binaries are FIPS-compliant
* Clean up some wording and typos
* Typo and spellchecker update
* Manually enter changes from 9a1deca568038ddb310ee581fc7272a341b69293
* Manually enter changes from 4a4012fdb61b92c38d25ddada89068af6f6683a7
* Manually enter changes from c59be3e8de5523f43abfae076b39cb6e7d31b66d
* Manually enter changes from 9a1deca568038ddb310ee581fc7272a341b69293
---
docs/cspell.json | 1 +
.../compliance-frameworks/fedramp.mdx | 61 ++++++++++++-------
.../compliance-frameworks/soc2.mdx | 2 +-
.../helm-reference/teleport-cluster.mdx | 2 +-
4 files changed, 42 insertions(+), 24 deletions(-)
diff --git a/docs/cspell.json b/docs/cspell.json
index d927b95ed9927..92911a9015812 100644
--- a/docs/cspell.json
+++ b/docs/cspell.json
@@ -287,6 +287,7 @@
"bjoerger",
"bluemix",
"boltdb",
+ "boringcrypto",
"boto",
"buildbox",
"cacerts",
diff --git a/docs/pages/access-controls/compliance-frameworks/fedramp.mdx b/docs/pages/access-controls/compliance-frameworks/fedramp.mdx
index 4ce481cf0156a..1b2e25038d277 100644
--- a/docs/pages/access-controls/compliance-frameworks/fedramp.mdx
+++ b/docs/pages/access-controls/compliance-frameworks/fedramp.mdx
@@ -3,12 +3,14 @@ title: FedRAMP Compliance for Infrastructure Access
description: How to configure SSH, Kubernetes, database, and web app access to be FedRAMP compliant, including support for FIPS 140-2.
---
-Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure. This includes support for [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS\_140-2), also known as the Federal Information Processing Standard, which is the US government approved standard for cryptographic modules. This document outlines a high
-level overview of how Teleport FIPS mode works and how it can help your company to become FedRAMP authorized.
+Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure.
+This includes support for the Federal Information Processing Standard [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS\_140-2).
+This standard is the US government approved standard for cryptographic modules. This document explains how
+Teleport FIPS mode works and how it can help your company to become FedRAMP authorized.
## Obtain FedRAMP authorization with Teleport
-Teleport includes new FedRAMP and FIPS 140-2 features to support companies that sell into
+Teleport includes FedRAMP and FIPS 140-2 features to support companies that sell into
government agencies.
| Control | Teleport Features |
@@ -25,29 +27,44 @@ government agencies.
| [IA-03 Device Identification and Authentication]((=fedramp.control_url=)IA-3) | Teleport requires valid x509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components. |
| [SC-12 Cryptographic Key Establish and Management]((=fedramp.control_url=)SC-12) | Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue x509 and SSH certificates. SSH and x509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).
Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto) is available.
In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography. |
-## Setup
+## Download and install
-If your Teleport cluster is running on AWS, it must be running in a GovCloud
-region to support FIPS.
+You can follow the [Installation instructions](../../installation.mdx#installation-instructions) for
+Teleport Enterprise edition to download and install the appropriate FIPS-compliant binaries for
+your operating environment and package manager or from compressed archive (tarball).
-Sign in to your [Teleport account](https://teleport.sh) to download a FIPS binary
-for Teleport Enterprise. Look for `Linux 64-bit (FedRAMP/FIPS)`. RPM and DEB
-packages are also available.
-
-After downloading the binary tarball, run:
+For example, you can download and install from the compressed archive by running the following commands:
```code
-$ tar -xzf teleport-ent-v(=teleport.version=)-linux-amd64-fips-bin.tar.gz
+$ curl https://get.gravitational.com/teleport-ent-(= teleport.version =)-linux--fips-bin.tar.gz.sha256
+
+$ curl -O https://cdn.teleport.dev/teleport-ent-(= teleport.version =)-linux--fips-bin.tar.gz
+
+# Verify that the checksums match
+$ shasum -a 256 teleport-ent-(= teleport.version =)-linux--fips-bin.tar.gz
+
+$ tar -xvf teleport-ent-(= teleport.version =)-linux--fips-bin.tar.gz
$ cd teleport-ent
$ sudo ./install
-# This will copy Teleport Enterprise to /usr/local/bin.
```
-## Configuration
+After you download and install, all of the Teleport Enterprise binaries are
+installed in the `/usr/local/bin` directory. You can verify you have FIPS-compliant
+binaries installed by running the `teleport version` command and verifying that
+the `X:boringcrypto` library is listed. For example:
+
+```code
+$ teleport version
+Teleport Enterprise (= teleport.version =) (= teleport.git =) (= teleport.golang =) X:boringcrypto
+```
+
+If your Teleport cluster runs on AWS, the cluster can run in US-East or US-West regions for services
+with low or moderate impact levels. For services with a high impact level, the cluster must run
+in a GovCloud region to support FIPS.
-### Teleport Auth Service
+## Configure the Teleport Auth Service
-Now, save the following configuration file as `/etc/teleport.yaml` on the Teleport Auth
+Save the following configuration file as `/etc/teleport.yaml` on the Teleport Auth
Service:
```yaml
@@ -90,7 +107,7 @@ ssh_service:
enabled: false
```
-### Teleport Node
+## Configure the Teleport SSH Service
Save the following configuration file as `/etc/teleport.yaml` on the Node
Service host:
@@ -114,9 +131,9 @@ proxy_service:
enabled: false
```
-### Systemd Unit File
+## Configure service unit file
-Next, download the systemd service unit file from the [examples directory](https://github.com/gravitational/teleport/tree/branch/v(=teleport.major_version=)/examples/systemd/fips)
+Download the `systemd` service unit file from the [examples directory](https://github.com/gravitational/teleport/tree/branch/v(=teleport.major_version=)/examples/systemd/fips)
on GitHub and save it as `/etc/systemd/system/teleport.service` on both servers.
```code
@@ -125,7 +142,7 @@ $ sudo systemctl daemon-reload
$ sudo systemctl enable teleport
```
-### Starting Teleport in FIPS mode
+## Start Teleport in FIPS mode
When using `teleport start --fips`, Teleport will start in FIPS mode.
@@ -142,7 +159,7 @@ When using `teleport start --fips`, Teleport will start in FIPS mode.
- Running commands like `ps aux` can be useful to note that Teleport is running
in FIPS mode.
-### Default Cryptographic Algorithms
+## Default cryptographic algorithms
In FIPS mode, Teleport will use the following cryptographic algorithms by default.
@@ -171,7 +188,7 @@ Default FIPS ciphersuites for TLS:
- `tls-ecdhe-rsa-with-aes-256-gcm-sha384`
- `tls-ecdhe-ecdsa-with-aes-256-gcm-sha384`
-### FedRAMP Audit Log
+## FedRAMP audit log
At the close of a connection (close of a \*srv.ServerContext), the total data transmitted and received
is emitted to the Audit Log.
diff --git a/docs/pages/access-controls/compliance-frameworks/soc2.mdx b/docs/pages/access-controls/compliance-frameworks/soc2.mdx
index 6573d1e91f7c8..594f3212f0caa 100644
--- a/docs/pages/access-controls/compliance-frameworks/soc2.mdx
+++ b/docs/pages/access-controls/compliance-frameworks/soc2.mdx
@@ -69,7 +69,7 @@ Each principle has many "Points of Focus" which will apply differently to differ
| CC6.6 - Protects Identification and Authentication Credentials | Identification and authentication credentials are protected during transmission outside system boundaries. | [Yes, Teleport protects credentials outside your network allowing for Zero Trust network architecture](https://goteleport.com/blog/applying-principles-of-zero-trust-to-ssh/) |
| CC6.6 - Requires Additional Authentication or Credentials | Additional authentication information or credentials are required when accessing the system from outside its boundaries. | [Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC](../../access-controls/sso.mdx) |
| CC6.6 - Implements Boundary Protection Systems | Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. | [Trusted clusters](../../management/admin/trustedclusters.mdx) |
-| CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. | [Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#starting-teleport-in-fips-mode) |
+| CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data | Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. | [Teleport has strong encryption including a FedRAMP compliant FIPS mode](./fedramp.mdx#start-teleport-in-fips-mode) |
| CC7.2 - Implements Detection Policies, Procedures, and Tools | Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. | [Teleport creates detailed SSH Audit Logs with Metadata](../../reference/audit.mdx)
[Use BPF Session Recording to catch malicious program execution](../../server-access/guides/bpf-session-recording.mdx) |
| CC7.2 - Designs Detection Measures | Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. | [Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.](../../server-access/guides/bpf-session-recording.mdx) |
| CC7.3 - Communicates and Reviews Detected Security Events | Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. | [Use Session recording to replay and review suspicious sessions](../../architecture/nodes.mdx#ssh-session-recording). |
diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx
index 7c31b1765f4bb..35179c91b6a53 100644
--- a/docs/pages/reference/helm-reference/teleport-cluster.mdx
+++ b/docs/pages/reference/helm-reference/teleport-cluster.mdx
@@ -269,7 +269,7 @@ Defaults to `local`.
`authentication.localAuth` controls whether local authentication is enabled.
When disabled, users can only log in through authentication connectors like `saml`, `oidc` or `github`.
-[Disabling local auth is required for FedRAMP / FIPS](../../access-controls/compliance-frameworks/fedramp.mdx#teleport-auth-service).
+[Disabling local auth is required for FedRAMP / FIPS](../../access-controls/compliance-frameworks/fedramp.mdx#configure-the-teleport-auth-service).
### `authentication.lockingMode`