Crypto module used in wazuh for data at transit

[Aditya Srivastava]

Hi Team,

We are evaluating wazuh to be used for our setup. This setup has to be FEDRAMP compliant as per our policy. While wazuh ticks most of the fedramp controls, there is clarity required on below point

- Wazuh uses AES encryption for data in transit, I wanted to understand what crypto module is used for this encryption. 

- The crypto module used, is it FIPS 140-2 compliant?

Would appreciate if we can get answer for it. We can work on remaining controls, just need clarity here

Thanks,

Aditya Srivastava

[Matias Pereyra]

Hello!

Wazuh uses CBC (Cipher Block Chaining) AES encryption mode in every message between agents and manager (see the blog post Benefits of using AES in our communications). The methods are implemented in aes_op.c source file and they use the OpenSSL module. 

This library has a legacy FIPS module compatible with OpenSSL 1.0.2 (https://www.openssl.org/docs/fips.html) and the last v3.0 release will also have a new FIPS module (https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/). But the current version used by Wazuh is OpenSSL 1.1.1, and some small changes should be implemented to use the legacy FIPS module until the new 3.0 version is included.

Can you give me more information about what you need?

Is it possible for you to use Wazuh with this specific OpenSSL module? 

Regards.

[Aditya Srivastava]

Hi Matias,

Thank you for that information. Really appreciate it. 

From your reply, if I sum up, wazuh is curently using 1.1.1 openssl which is not fips module compatible. 

Openssl 1.0.2 is fips compatible, but need to make small changes to wazuh source code for making it work.

Two questions from this

1. Is there a version of wazuh that supported openssl 1.0.2 in the past?

2. When you say small changes, what parameter changes are required to use fips legacy module in current wazuh version?

In response to your question about our need, we are planning to use wazuh as our SIEM tool including FIM and HIDS module.

We need to make sure that the SIEM we use is FEDRAMP compliant and has FIPS enabled crypto module used for data encryption.

Yes, if wazuh could use an encryption that is fips module compatible, we can surely use that.

Thanks,

Aditya

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5cebc24-8da8-4a2e-9b90-3c3711aa9d2bn%40googlegroups.com.

[Paul Robertson]

Note several things:

FIPS140 compliant is not the same as FIPS certified.  If certification is required, you must use programs that have been through and passed testing.  Testing is expensive, even for code expected to pass.

Older SSL libraries often have security bugs making them unsuitable for use.  Therefore you also need to pay attention to bug fix and currency requirements, there are no shortcuts here.

OpenSSL is not the only encryption used in the stack.

Both RefHat and SUSE offer OS versions that have currently maintained FIPS140 OpenSSL AND SSH libraries, and I believe the kernel routines as well.  These cost money, but as long as the library is dynamically linked will meet the requirement. At least that was my impression last time I looked.

Paul

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAHYjX6PE1o71xAOG3QZV-CFw7hE3tUSy%3Dg2R82zXNwdnmi_bSQ%40mail.gmail.com.

[Matias Pereyra]

Hello again!

Thank you Paul for your comments. It is true that legacy versions may not have the back-ports of all the vulnerability fixes. And on the other hand, I was unable to find a Wazuh version using OpenSSL 1.0.2.

Even having similar interfaces between OpenSSL 1.1.1l and 1.0.2, this is not a configuration change, a custom package should be generated. The package should make use of this specific external dependency and a full QA cycle must be done over the package. It is possible but it has to be analyzed more in-depth.

The best solution probably is to include the last OpenSSL 3.0 version and document the steps to enable the FIPS module. The Wazuh team is currently analyzing the possibilities to include this work in the roadmap as it isn't that straightforward.

Finally, you should consider also the rest of the components in the stack. For example ElasticSearch: https://www.elastic.co/guide/en/elasticsearch/reference/current/fips-140-compliance.html

Regards.