Comments (3)
My rudimentary understanding of FIPS 140-2 is that all cryptographic routines should be implemented by a NIST certified cryptographic module that has a valid certificate in the NIST CMVP (https://csrc.nist.gov/projects/cryptographic-module-validation-program). One such for java is our old and dear friend Bouncy Castle: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4616
Installing appropriate bouncy castle libraries and configuring them correctly in the java security portion of the JRE is a large first step. Ensuring that application code within Jenkins makes use of the appropriate crypto routines from bouncy castle is another fun challenge, but even having a guide for getting the JVM used by Jenkins into the right starting place is quite valuable.
The goal here could be to solve some or all of controls like NIST 800.53 SC-08, SC-12, SC-28, which are briefly: encryption in transit, crytographic key creation/management, and encryption at rest. NIST is only one example security framework - there are certainly others, but maybe this can help to guide the refinement of goals here? Are we trying to make keystores use FIPS 140-2 validated modules, or passwords, or TLS, or storage? Maybe all of the above...? There are also limits on which crypto routines you can even run - eg. md5 is no good for security purposes.
https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_1/home for more about the SC control family.
Jenkins is also fun with great features like shell script execution, you quickly find the need to also harden your OS. So you start doing things like https://aws.amazon.com/blogs/publicsector/enabling-fips-mode-amazon-linux-2/ to get openssl running with FIPS-140-2 validated cryto for your curl calls...
from jep.
The point of this issue is to define (in broad terms) the set of plugins that will be adapted. JEP-237 (reasonably) states that "making every […] plugin compliant" is out of scope, but this raises the question as to which plugins do need to be made compliant as part of this JEP, since it isn't practical to run Jenkins without at least a few plugins.
from jep.
I will update the scope to be a type of inbound agent, with pipelines using the basic sh
bat
powershell
/ pwsh
, node
steps and the junit
plugin as a minimally acceptable set.
We will need one authorisation and authentication strategy which I think can be left ambiguous until such time that we remove the JEP from draft status, or before should analysis find a reasonable target) . (but will likely be ldap
and matrix-auth
)
If you think there is some other minimally required plugin then please suggest it here.
from jep.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jep.