FIPS 140-2 certification for data at rest and MySQL approval??!!??!!

[Union Girl]

Below is a post I made to the Government Drupal4Gov listserv. Folks
there suggested I also give it a try to post here.

The gist is, my agency has not approved MySQL for the enterprise
(their explanation is below). Drupal is now database agnostic, so I'm
not so worried about D7 projects. I'm worried about getting mysql
approved in general because I have Open Atrium ready to be deployed
and it now can't be and when the new crawlers are finally up and
running, it's going to cause issues for our Wordpress blogs as well.

So, I would really like to be able to address these issues now and get
mysql approved. Is there anyone here who can help with suggestions?

From: us-governme...@googlegroups.com [us-government-
drup...@googlegroups.com] On Behalf Of Union Girl
[bend...@gmail.com]
Sent: Friday, February 24, 2012 3:56 PM
To: US Government Drupalers
Subject: [drupal4gov] FIPS 140-2 certification for data at rest???

So, my approval for Drupal last year, that took 51 weeks to get, was
actually not an approval at all. No, this is not a joke. Has anyone
run across this and what did you do?

I'm being told that if I continue to pursue standing up Drupal (this
includes Open Atrium), I won't be permitted to put it into a
production environment. I can test it all I want in dev, but no
production because (and I'm quoting here):


.....The Enterprise Security Solutions Service (ESSS) performed an
assessment of the Oracle MySQL product in July 2011. Although the
product does contain multiple tools for customization, users access
controls, AES 128-bit encryption and supports FIPS 140-2 compliant
OpenSSL for data in transit, unfortunately, it does not meet the
required FIPS 140-2 certification with regard to data at rest and does
not meet the requirement of the VA 6500 Handbook.

As a result of the assessment, ESS proposed that the database product
be considered for “approval with constraint,” with the constraint
being that the database can only be run on a development or testing
environment or air-gapped environment and must never be incorporated
into the VA Enterprise Production Network.

Additionally, the product (including numerous versions) has over three
hundred reported entries within the DHS/US-CERT National Vulnerability
Database <http://web.nvd.nist.gov/view/vuln/search-results?
query=MySQL&search_type=all&cves=on> and has been found to have
vulnerabilities including those that allow remote authenticated users
to affect confidentiality and integrity via unknown vectors, SQL
injection vulnerabilities which may allow users to execute arbitrary
SQL commands, etc., and potential denial of service attacks.

[Gunnar Hellekson]

You should be able to get FIPS 140-2 compliant data at rest protection outside of MySQL by encrypting the filesystem. Red Hat, for what it's worth, will do this out of the box. That should satisfy the requirement.

As to their second objection, counting the number of vulnerabilities isn't a satisfactory way of measuring the fitness of the product. I'd ask them to look at the severity of the vulnerabilities, and the speed of the vendor response to them. They should feel free to compare MySQL with Windows XP, for instance.

Follow that up with a list of VA programs already using MySQL (I'm sure they exist) and you should be in good shape for an appeal.

Failing that, I'd recommend EnterpriseDB, which recently got Postgres Common Criteria certified. It would be hard for them to object to that.

g

On Monday, 27 February 2012 at 07:43, Union Girl wrote:

> Below is a post I made to the Government Drupal4Gov listserv. Folks
> there suggested I also give it a try to post here.
>
> The gist is, my agency has not approved MySQL for the enterprise
> (their explanation is below). Drupal is now database agnostic, so I'm
> not so worried about D7 projects. I'm worried about getting mysql
> approved in general because I have Open Atrium ready to be deployed
> and it now can't be and when the new crawlers are finally up and
> running, it's going to cause issues for our Wordpress blogs as well.
>
> So, I would really like to be able to address these issues now and get
> mysql approved. Is there anyone here who can help with suggestions?
>

> --
> You received this message because you are subscribed to the "Military Open Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com (mailto:mil...@googlegroups.com)
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com (mailto:mil-oss+u...@googlegroups.com)
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org (http://www.mil-oss.org)

[Jim Kinney]

+1 on switch to Enterprise DB. Between the cert level and the ACID compliance of postgresql you'll be in better shape.

[Kit Plummer]

+1

Who knows what Oracle is ultimately going to do with MySQL (technically, or otherwise).

[jmw oss-institute.org]

FYI, feedback from one of my sources who deals with this game on regular basis.�

The is no separate FIPS 140-2 validation for "data in transit" or "data
at rest" (at least for the Level 1 and 2 validations I'm familiar with).
�I know nothing about the "VA 6500 Handbook" or even what agency she's
with (the VA perhaps?).

My sense is that she's in a position where she is opposed by a
bureaucratic entity, possibly for completely unrelated reasons, and that
is the excuse they are using.� If so then she is pretty much S.O.L. in
the absence of a more powerful advocate, as even if she successfully
contested the specific objections her opposition would just conjure up
another.

I've seen that sort of game played too many times. The first question to
ask if the objections are due to simple innocent ignorance, or
calculated intent.� Like as not it's the latter.

The count of CVE entries is a red herring, of course -- any non-trivial
produce has many such entries. Such a count includes all reports, past
and present, substantiated or not.

Note also the reference to "Oracle MySQL", implying she's getting it
from Oracle.� If so Oracle would be the one to fight the approvals
battle, and for commercial reasons they may not have much interesting in
furthering the use of MySQL.

I like the idea of reaching out to EnterpriseDB.� Hats off to them for the CC of postgres.

jmw

> be considered for �approval with constraint,� with the constraint

> being that the database can only be run on a development or testing
> environment or air-gapped environment and must never be incorporated
> into the VA Enterprise Production Network.
>
> Additionally, the product (including numerous versions) has over three
> hundred reported entries within the DHS/US-CERT National Vulnerability
> Database <http://web.nvd.nist.gov/view/vuln/search-results?
> query=MySQL&search_type=all&cves=on> and has been found to have
> vulnerabilities including those that allow remote authenticated users
> to affect confidentiality and integrity via unknown vectors, SQL
> injection vulnerabilities which may allow users to execute arbitrary
> SQL commands, etc., and potential denial of service attacks.
>
> --
> You received this message because you are subscribed to the "Military Open Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com (mailto:mil...@googlegroups.com)
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com (mailto:mil-oss+u...@googlegroups.com)
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org (http://www.mil-oss.org)


--

You received this message because you are subscribed to the "Military Open Source Software" �Google Group.

To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

www.mil-oss.org

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

�
www.mil-oss.org

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

�
www.mil-oss.org

[Jeremy Lemmon]

Hi Gunnar,

On Monday, February 27, 2012 7:52:40 AM UTC-6, Gunnar Hellekson wrote:

You should be able to get FIPS 140-2 compliant data at rest protection outside of MySQL by encrypting the filesystem. Red Hat, for what it's worth, will do this out of the box. That should satisfy the requirement.

Can you help point me in the right direction on finding where/how this is documented?  I've found numerous references to the modules that have been FIPS certified, but no specific mention of how this applies to making disk/filesystem encryption FIPS compliant.

Any help would be much appreciated!

Cheers,

Jeremy

[Gunnar Hellekson]

On 19 Oct 2012, at 15:02, Jeremy Lemmon wrote:
> On Monday, February 27, 2012 7:52:40 AM UTC-6, Gunnar Hellekson wrote:
>
>> You should be able to get FIPS 140-2 compliant data at rest protection outside of MySQL by encrypting the filesystem. Red Hat, for what it's worth, will do this out of the box. That should satisfy the requirement.
>
> Can you help point me in the right direction on finding where/how this is documented? I've found numerous references to the modules that have been FIPS certified, but no specific mention of how this applies to making disk/filesystem encryption FIPS compliant.

Basically, you go into FIPS mode and you're done. More details here:

https://access.redhat.com/knowledge/solutions/67603

g

[Jeremy Lemmon]

Awesome.  Thanks for the fast reply!