FIPS mode for Ingest tools

Stack Preview 9.1.0

Elastic Agent, Fleet, Filebeat, Metricbeat, and APM Server binaries are built and configured to use FIPS 140-2 compliant cryptography. Generally speaking FIPS 140-2 requirements can be summarized as:

linking against a FIPS certified cryptographic library
using only FIPS approved cryptographic functions
ensuring that the configuration of the component is FIPS 140-2 compliant.

FIPS-compatible binaries and configuration

FIPS compatible binaries for Elastic Agent, Fleet, Filebeat, Metricbeat, and APM Server are available for download. Look for the Linux 64-bit (FIPS) or Linux aarch64 (FIPS) platform option on the product download pages for Elastic Agent and Fleet, Filebeat, and Metricbeat. Look for the Linux x86_64 (FIPS) or Linux aarch64 (FIPS) platform option on the APM Server download page.

Important

The default configurations provided in the binaries are FIPS compatible. Be sure to check and understand the implications of changing default configurations.

Limitations

TLS

Only FIPS 140-2 compliant TLS protocols, ciphers, and curve types are allowed to be used as listed below.

The supported TLS versions are TLS v1.2 and TLS v1.3.
The supported cipher suites are:
- TLS v1.2: ECDHE-RSA-AES-128-GCM-SHA256, ECDHE-RSA-AES-256-GCM-SHA384, ECDHE-ECDSA-AES-128-GCM-SHA256, ECDHE-ECDSA-AES-256-GCM-SHA384
- TLS v1.3: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384
The supported curve types are P-256, P-384 and P-521.

Support for encrypted private keys is not available, as the cryptographic modules used for decrypting password protected keys are not FIPS validated. If an output or any other component with an SSL key that is password protected is configured, the components will fail to load the key. When running in FIPS mode, you must provide non-encrypted keys. Be sure to enforce security in your FIPS environments through other means, such as strict file permissions and access controls on the key file itself, for example.

These TLS related restrictions apply to all components listed--Elastic Agent, Fleet, Filebeat, Metricbeat, and APM Server.

General output and input limitations (Kerberos protocol)

The Kerberos protocol is not supported for any output or input, which also impacts the available sasl.mechanism for the Kafka output where only PLAIN is supported.

This impacts Filebeat, Metricbeat and APM Server, as well as output configurations for Elastic Agent with Fleet Server.

APM Server

The Secrets Keystore is not supported.

Filebeat

The Secrets Keystore is not supported.
The Translate GUID processor is not supported.
The Fingerprint processor does not support the md5 and sha1 method.
The Community ID Network Flowhash processor is not supported.
The Azure module including the Azure eventhub input and the Azure Blob Storage Input are not currently supported. The Add Cloud Metadata processor does not support the Azure Virtual Machine provider currently.
The Office 365 module (Beta) and the Office 365 input (Deprecated) are not supported.
The GCP Pub/Sub input and the Google Cloud Storage input are not supported for now.
The Entity Analytics input is not supported.

Metricbeat

The Secrets Keystore is not supported.
The Translate GUID processor is not supported.
The Fingerprint processor does not support the md5 and sha1 method.
The Community ID Network Flowhash processor is not supported.
The Azure module is currently not supported. The Add Cloud Metadata processor does not support the Azure Virtual Machine provider currently.
The Google Cloud Platform module is currently not supported.
The Beta KVM module is not yet supported.
The Mongo DB module is not supported.
The MySQL, PostgreSQL, MSSQL and SQL modules are not supported.
The Oracle module is not supported.

Elastic Agent and Fleet Server

When you use Elastic Agent and Fleet Server, these limitations apply:

Running Elastic Agent in OpenTelemetry mode is not yet supported. This includes all receivers, such as Filebeat Receiver, Metricbeat Receiver, Prometheus Receiver.
Some Elastic Integrations are not FIPS compatible, as they depend on functionality that is not yet supported for FIPS configuration. In general, when using Elastic Agent and Fleet Server, the same restrictions listed previously for Metricbeat and Filebeat modules, inputs, and processors apply.

These Elastic Integrations have components that are not FIPS compatible, and cannot be used in FIPS environments, even if combined with other ingest tools that offer FIPS mode.