On This Page

Home / Stream/ Securing·FIPS Mode

FIPS Mode

Federal Information Processing Standards FIPS is a set of US government standards and guidelines for information security. You can deploy Cribl Stream in FIPS mode. This mainly restricts the cryptographic algorithms used within Cribl Stream and also enforces FIPS compliant password requirements.

Requirements

This section describes the system and password requirements for FIPS mode.

FIPS Mode System Requirements

To run Cribl Stream in FIPS mode, your environment must satisfy the following requirements:

  • Operating system: Must support FIPS 140-2. Several Linux distributions meet this standard. See NIST’s list of tested configurations here.
  • OpenSSL: In particular, the environment must have a FIPS validated version of OpenSSL installed. For Cribl Stream version 4.5, this must be OpenSSL 3.0.8 or version 3.0.9, with its associated certificate.

Enterprise Linux 9 is the only version of Enterprise Linux that includes OpenSSL version 3.0.9 out of the box. While it’s possible to manually install compatible versions of OpenSSL on older Enterprise Linux versions, this process is complex and generally not recommended. Therefore, the minimum recommended Enterprise Linux version for running Cribl Stream in FIPS mode is 9.

FIPS Mode Restrictions on Cryptographic Algorithms

When run in FIPS mode, Cribl Stream uses only those cryptographic algorithms that satisfy the FIPS standards. This means that Cribl Stream does not run any part of its code that uses the MD5 (message-digest) or CRC-32 (Cyclic Redundancy Check 32) algorithms, or any other algorithm that does not support FIPS.

Therefore, in FIPS mode:

Cribl expressions that rely on MD5 or CRC-32 will fail silently. This includes expressions that use the C.Mask.md5() method and can in turn affect the behavior of parent Functions and their existing parent Pipelines.

The UI will hide certain options normally made available by the typeahead feature.

No Source, Destination, or Email Notification target that uses the Amazon AWS SDK v2 will perform checksums. This is because that SDK uses MD5 to verify checksums, and it applies to both incoming or outgoing payloads. Specifically:

Role-Based Access Control (RBAC) Controls

Cribl Stream’s FIPS mode requires RBAC to be enabled for enhanced security. This ensures proper access management within FIPS-compliant environments. To enable RBAC, the Cribl Stream instance has to be running in Distributed mode with an Enterprise licence.

If FIPS mode is already enabled and RBAC is subsequently disabled, Cribl Stream will automatically disable FIPS mode and log a message stating:

"Disabling FIPS due to Role-based Access Control (RBAC) being disabled."

FIPS Mode Password Rules

When Cribl Stream is in FIPS mode, all passwords must:

  • Contain eight or more characters.

  • Use characters from three or more of the following categories:

    • Lowercase letters.
    • Uppercase letters located after the first character in the password.
    • Digits located before the last character in the password.
    • Non-alphanumeric ASCII characters such as #, !, or ?.
    • Non-ASCII characters such as ñ, , or emoji.

As of Cribl Stream version 4.5.0, these rules apply for all passwords, whether or not Cribl Stream is running in FIPS mode, with one exception:

  • For Cribl Stream not running in FIPS mode, local users whose passwords existed before Cribl Stream 4.4.4 was released can continue to use their passwords, even if those passwords do not satisfy the rules.
  • When these users change to new passwords, the new passwords must satisfy the rules.
  • New users must create passwords that satisfy the rules.

If you get locked out of your account, you need to reset your password manually.

Running Cribl Stream in FIPS Mode

Once Cribl Stream has been started without FIPS mode enabled, you cannot put it into FIPS mode. You must enable FIPS mode as described in this section, after installing but before starting Cribl Stream.

To begin using Stream with FIPS enabled, complete either the non-systemd or the systemd procedure below, before you start Cribl Stream for the first time after installing.

Enabling FIPS Mode on a Non-systemd Distribution

If the Linux distribution on which you run Cribl Stream does not use systemd:

  1. Complete either of the two following steps:

    • Set the CRIBL_FIPS environment variable to 1 (true), or,

    • Edit cribl.yml, adding this top-level element:

      fips: true

      Note that fips: true is the entire top-level element. For this element, the following “stanza” syntax would be incorrect – do not use it:

      # stanza syntax is incorrect for the fips element 
# even if other elements use it
fips
  fips: true

  2. If you have installed a non-default OpenSSL binary (otherwise, skip this step):

    • Run the following command, and in the output, note the values of MODULESDIR and OPENSSLDIR.

      <binary_of_non-default_OpenSSL> version -a

    • Set OPENSSL_MODULES to the value of MODULESDIR.

    • Set CRIBL_OPENSSL_DIR to the value of OPENSSLDIR.

  3. Ensure RBAC is Configured in Cribl Stream.

  4. Start Cribl Stream.

Finally, verify that you are in FIPS mode as explained below.

Enabling FIPS Mode on a systemd Distribution

If the Linux distribution on which you run Cribl Stream does use systemd:

  1. Run the following command, and in the output, note the values of MODULESDIR and OPENSSLDIR. (As shown, the command will run the default OpenSSL binary. If you have installed a different OpenSSL binary, you can modify the command to run that one instead.)

    openssl version -a

  2. Run the following command, replacing the placeholders with the relevant paths from your environment. (This assumes that you do not already have a nodejs.cnf file. If you do have one, complete the workaround below instead of this step.)

If you encounter issues generating the FIPS configuration file, a discrepancy in the OpenSSL path might be the cause. For more detailed troubleshooting specific to RHEL 9, refer to the knowledge base article: Installing Cribl Stream in FIPS Mode on RHEL 9.

An example of a successful command and its output:

    useralice@123456791234:/# /opt/cribl/bin/cribl generateFipsConf -d /lib/usr/ssl
    /opt/cribl/state/nodejs.cnf

This command creates nodejs.cnf – the configuration file that NodeJS uses to run in FIPS mode as Cribl Stream starts.

  1. Run the following command to open an empty temporary file in an editor:

    systemctl edit cribl

  2. Add the following content to the file, replacing the first placeholder with the value of MODULESDIR that you noted in Step 1, and the second with the path to your nodejs.cnf file:

    [Service]
Environment="OPENSSL_MODULES=<value_of_MODULESDIR>"
Environment="OPENSSL_CONF=<path_to_nodejs.cnf_file>"

  3. Save and exit the editor.

  4. Run the following commands to reload the systemctl overrides and start Cribl:

    systemctl daemon-reload
systemctl start cribl

  5. Finally, verify that you are in FIPS mode as explained below.

When a nodejs.cnf File Already Exists

If you already have a nodejs.cnf file, replace Step 2 above with the following workaround:

  1. Create a file with the following content, replacing <placeholder> with the value of OPENSSLDIR. Name the file something other than nodejs.cnf.

    nodejs_conf = nodejs_init

.include /<placeholder>/fipsmodule.cnf

[nodejs_init]
providers = provider_sect

[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect

[default_sect]
activate = 1

  2. Resume the main procedure above, starting with Step 3.

Verifying that you are in FIPS mode

  • On the Leader, search cribl.log for this message:

    "level":"info","message":"running with FIPS enabled"

  • The presence of the above message confirms that Cribl Stream is in FIPS mode.

Log in as admin – you will be prompted to enter a FIPS compliant password.