From 8d438467c6137aacbd7a9d1a845badc191fb72c4 Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Tue, 6 May 2025 11:05:56 -0700 Subject: [PATCH 1/8] (Agent)(DOCS-10740) FIPS Agent --- .../en/agent/configuration/fips-compliance.md | 367 ++++-------------- content/en/agent/faq/_index.md | 2 + content/en/agent/faq/fips_proxy.md | 358 +++++++++++++++++ content/en/agent/guide/_index.md | 1 - content/en/agent/guide/fips-agent.md | 123 ------ 5 files changed, 438 insertions(+), 413 deletions(-) create mode 100644 content/en/agent/faq/fips_proxy.md delete mode 100644 content/en/agent/guide/fips-agent.md diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index 2a91bbfe8e3a7..7e46915ff8ce2 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -3,6 +3,7 @@ title: Datadog FIPS Compliance disable_toc: false alias: - /agent/guide/agent-fips-proxy +- /agent/guide/fips-agent - /configuration/agent-fips-proxy further_reading: - link: "agent/configuration/proxy" @@ -16,36 +17,22 @@ algolia: tags: ["fips", "fips proxy", "compliance", "fedramp", "govcloud"] --- -{{< callout url="" btn_hidden="true" header="Try the FIPS Agent Preview!">}} -A FIPS flavor of the Datadog Agent is in Preview. For more information, see FIPS Agent. -{{< /callout >}} - {{< site-region region="us,us3,us5,eu,ap1" >}} -
The Datadog Agent FIPS Proxy is available only in the US1-FED region.
+
The Datadog FIPS Agent is available only in the US1-FED region.
{{< /site-region >}} -The Datadog Agent FIPS Proxy ensures that communication between the Datadog Agent and Datadog uses FIPS-compliant encryption. - -The Datadog Agent FIPS Proxy is a separately distributed component that you deploy on the same host as the Datadog Agent. The proxy acts as an intermediary between the Agent and Datadog intake. The Agent communicates with the Datadog Agent FIPS Proxy, which encrypts payloads using a FIPS 140-2 validated cryptography and relays the payloads to Datadog. The Datadog Agent and the Agent FIPS Proxy must be configured in tandem to communicate with one another. - -
FIPS compliance is not retained if the Datadog Agent FIPS Proxy and the Datadog Agent are not on the same host. -
Similarly, FIPS compliance is not retained if the fips.enabled option is not set to true in datadog.yaml.
+The FIPS Agent is a flavor of the Datadog Agent that natively supports Federal Information Processing Standards (FIPS) compliance. The FIPS Agent includes limited support for integrations that need to collect observability data that is external to the host. ## Supported platforms and limitations -The Datadog Agent FIPS Proxy's compliance is based on its use of the FIPS 140-2 validated [Cryptographic Module - Certificate #4282][1]. See the related [security policy][2] for information about validated operating environments and restrictions. - -**It is your responsibility to ensure operating environment compliance with the security policy and wider FIPS guidance.** - Supported platforms: ||| | --- | ----------- | -| Bare metal and VMs | RHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12| +| Bare metal and VMs | RHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12
Windows Server >= 2016
Windows >= 10| | Cloud and container| Amazon ECS
AWS EKS (Helm)| Supported products (Agent 7.45+): - - Metrics - Logs - APM traces @@ -54,7 +41,7 @@ Supported products (Agent 7.45+): - Orchestrator Explorer - Runtime Security -The Datadog Agent FIPS Proxy does **not** support the following: +The Datadog FIPS Agent does **not** support the following: - Serverless Monitoring - Communication between Cluster Agent and Node Agents @@ -63,306 +50,108 @@ The Datadog Agent FIPS Proxy does **not** support the following: ## Prerequisites -- TCP port range available: 9803 to 9818 -- Datadog Agent >= v7.41 - -## Install the Agent with FIPS support - {{< tabs >}} -{{% tab "Host or VM" %}} - -### Install the Agent on a new host +{{% tab "Linux" %}} +- A non-containerized Linux host. +- Your Linux OS must be in FIPS-compliant mode. See your OS vendor's documentation on what steps are required to meet this requirement. +- FIPS-compliant storage backing the host file system. +{{% /tab %}} -To install the Datadog Agent with the Datadog Agent FIPS Proxy, add `DD_FIPS_MODE=1` to the one-step install instructions on the [Datadog Agent Integration][1] page. For example: +{{% tab "Windows" %}} +- A non-containerized Windows host. +- Windows must be in [FIPS-compliant mode][1]. +- FIPS-compliant storage backing the host file system. -```shell -DD_API_KEY= \ -DD_SITE="ddog-gov.com" \ -DD_FIPS_MODE=1 \ -bash -c "$(curl -L \ - https://install.datadoghq.com/scripts/install_script_agent7.sh)" -``` +[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation +{{% /tab %}} +{{< /tabs >}} -Setting the `DD_FIPS_MODE` environment variable installs the FIPS package along with the Agent, and configures the Agent to use the proxy. There are no additional configuration steps if you're using this method, but you should [verify the installation](#verify-your-installation). +In addition to the Operating System (OS) requirements above: +- You must have access to a FIPS-compliant Datadog environment (US1-FED). +- The FIPS Agent is only available on Agent versions 7.63 and above. -### Add the Datadog Agent FIPS proxy to an existing Agent +## Installation -Follow the steps below to add the Datadog Agent FIPS proxy to an existing Agent installation. +{{< tabs >}} +{{% tab "Linux" %}} -#### Install the Datadog Agent FIPS Proxy package +The Datadog FIPS Agent is in Preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. -1. Run the following commands to install the Datadog Agent FIPS Proxy: +1. Remove any `fips-proxy` installations on the host by uninstalling the `datadog-fips-proxy` package with your OS package manager. For example: - Debian: - ```shell - apt-get update && apt-get install datadog-fips-proxy - ``` - RHEL and Fedora: - ```shell - yum makecache && yum install datadog-fips-proxy + **Red Hat** + ```sh + sudo yum remove datadog-fips-proxy ``` - SLES: - ```shell - zypper refresh datadog && zypper install datadog-fips-proxy + **Ubuntu/Debian** + ```sh + sudo apt-get remove datadog-fips-proxy ``` +1. Ensure that the Agent's configuration file does not contain any [FIPS proxy][2] settings. FIPS proxy settings use the `fips.*` prefix. +1. Use the [instructions for your OS][3] to uninstall the Datadog Agent. +1. Install the Agent with FIPS support. + + **Note:** FIPS support is only available on Agent versions 7.63.0 and above: + 1. If you're using the Agent install script, specify the `DD_AGENT_FLAVOR="datadog-fips-agent"` environment variable in your installation command. For example: + + ```sh + DD_SITE="ddog-gov.com" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" + ``` + 1. If you're installing with a package, [follow the instructions][4] to install the latest `datadog-fips-agent` package available for your platform. + 1. Add `GOFIPS=1` to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (`datadog-agent.service`). For example, if your host is using systemd: + + ```sh + echo "GOFIPS=1" | sudo tee -a /etc/datadog-agent/environment + systemctl daemon-reload + systemctl restart 'datadog-agent*' + ``` + 1. Run the `datadog-agent status` command and make sure you see `FIPS Mode: enabled` in the status output. + + {{< img src="/agent/fips-linux.png" alt="Your image description" style="width:100%;" >}} + +[2]: /agent/configuration/fips-compliance/ +[3]: /agent/guide/how-do-i-uninstall-the-agent/ +[4]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ +{{% /tab %}} -1. The first time you perform an upgrade, copy the example configuration file to the appropriate location and restart the proxy. You do not need to copy the configuration in subsequent upgrades unless there are significant changes in the upstream proxy configuration: - ```shell - sudo cp /etc/datadog-fips-proxy/datadog-fips-proxy.cfg.example \ - /etc/datadog-fips-proxy/datadog-fips-proxy.cfg - sudo chown dd-agent:dd-agent \ - /etc/datadog-fips-proxy/datadog-fips-proxy.cfg - sudo chmod 640 /etc/datadog-fips-proxy/datadog-fips-proxy.cfg - sudo systemctl restart datadog-fips-proxy - ``` - -#### Configure the Agent to use the Datadog Agent FIPS proxy - -The Datadog Agent FIPS Proxy package comes pre-configured for use with the US1-FED datacenter. If you're upgrading an existing Datadog Agent, you **must** configure the Agent to use the proxy. - -To configure the Agent to use the proxy, set `fips.enabled` to `true` and `fips.https` to `false` in the [Agent configuration file][2]: - -```yaml -fips: - enabled: true - https: false -``` - -The `fips` setting is available in Agent versions >= 7.41. When the setting is enabled, the Datadog Agent redirects all of its communications to the Datadog Agent FIPS Proxy for supported products. This setting ignores custom URL options, such as `dd_url`. - -The `https` option is set to `false` because the Agent uses HTTP to communicate with the proxy. The Datadog Agent FIPS Proxy runs on the same host as the Agent and relies on the host's security for protection of that communication. - -**Host security and hardening are your responsibilities.** - -
The fips.enabled setting defaults to false in the Agent. It must be set to true to ensure all communications are forwarded through the Datadog Agent FIPS Proxy.

If fips.enabled is not set to true, the Agent is not FIPS Compliant.
- -### Verify your installation - -Verify that metrics, traces, and logs are correctly reported in the app. - -For metrics, run the connectivity diagnostic command and verify that all checks pass: - -```shell -sudo -u dd-agent datadog-agent diagnose --include connectivity-datadog-core-endpoints -# For Agent version < 7.48, run the following command: -# sudo -u dd-agent datadog-agent diagnose datadog-connectivity -``` +{{% tab "Windows" %}} -If you don't see metrics, traces, or logs reported in the app, see the [Troubleshooting](#troubleshooting-a-bare-metal-or-vm-installation) section. +The Datadog FIPS Agent is in preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. -### View logs +1. Follow the [Windows instructions][1] to uninstall the Datadog Agent. +1. Run the command below to install the FIPS Agent, replacing `DATADOG_API_KEY` with your API key: -```shell -sudo journalctl -u datadog-fips-proxy -``` + **Note:** FIPS support is only available on Agent versions 7.63.0 and above: -#### journald logs configuration + {{< code-block lang="powershell" >}} +$p = Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /i https://windows-agent.datadoghq.com/datadog-fips-agent-7.64.3.msi /log C:\Windows\SystemTemp\install-datadog.log APIKEY="" SITE="ddog-gov.com"' +if ($p.ExitCode -ne 0) { + Write-Host "msiexec failed with exit code $($p.ExitCode) please check the logs at C:\Windows\SystemTemp\install-datadog.log" -ForegroundColor Red +} +{{< /code-block >}} -If you use [Log Management][3] and want to send the Datadog Agent FIPS Proxy logs to Datadog, set up the Datadog Agent to read logs from journald. + To install a different preview version of the FIPS Agent, search the [list of stable Agent versions][2] for `datadog-fips-agent` and replace the MSI in the command above with your desired version. -1. In the Agent's [configuration file][2], set `logs_enabled` to `true` to activate the Logs Agent. In the [configuration directory][4], create a file at `fips_proxy.d/conf.yaml` with the following content: +1. Run the Agent `status` command and make sure you see `FIPS Mode: enabled` in the status output. - ```yaml - logs: - - type: journald - source: datadog-fips-proxy - include_units: - - datadog-fips-proxy.service + ```powershell + & "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" status ``` -1. Make sure that the `dd-agent` user is in the `systemd-journal` group. For more information, see the [journald integration][5] documentation. -1. [Restart the Agent][6]. - -[1]: https://app.datadoghq.com/account/settings/agent/latest -[2]: /agent/configuration/agent-configuration-files/#agent-main-configuration-file -[3]: /logs/ -[4]: /agent/configuration/agent-configuration-files/#agent-configuration-directory -[5]: /integrations/journald/#configuration -[6]: /agent/configuration/agent-commands/#start-stop-and-restart-the-agent -{{% /tab %}} - -{{% tab "Helm on Amazon EKS" %}} -Set the following values in your `values.yaml` file: - -```yaml -fips: - enabled: true - use_https: false -``` - -The `fips` setting is available in Agent versions >= 7.41. When the setting is enabled, the Datadog Agent redirects all of its communications to the Datadog Agent FIPS Proxy for supported products. This setting ignores custom URL options, such as `dd_url`. + {{< img src="/agent/fips-powershell.png" alt="Your image description" style="width:100%;" >}} -The `use_https` option is set to `false` because the Agent uses HTTP to communicate with the proxy. The Datadog Agent FIPS Proxy runs on the same host as the Datadog Agent and relies on the host's security for protection of that communication. -**Host security and hardening are your responsibilities.** +**Note**: The program name for the FIPS Agent in **Add or Remove Programs** is "Datadog FIPS Agent." -
The fips.enabled setting defaults to false in the Agent. It must be set to true to ensure all communications are forwarded through the Datadog Agent FIPS Proxy.

If fips.enabled is not set to true, the Agent is not FIPS Compliant.
+[1]: /agent/basic_agent_usage/windows/#uninstall-the-agent +[2]: https://windows-agent.datadoghq.com/installers_v2.json - -{{% /tab %}} - -{{% tab "Amazon ECS" %}} - -For instructions on installing the FIPS proxy on Amazon ECS, see [FIPS proxy for GOVCLOUD environments][1]. - -[1]: /containers/amazon_ecs/#fips-proxy-for-govcloud-environments {{% /tab %}} - {{< /tabs >}} -## Security and hardening - -You, the Datadog customer, are responsible for **host** security and hardening. - -Security considerations: -- While the Datadog images provided are constructed with security in mind, they have not been evaluated against CIS benchmark recommendations or DISA STIG standards. -- If you rebuild, reconfigure, or modify the Datadog Agent FIPS Proxy to fit your deployment or testing needs, you might end up with a technically working setup, but Datadog cannot guarantee FIPS compliance if the Datadog Agent FIPS Proxy is not used exactly as explained in the documentation. -- If you did not follow the installation steps listed above exactly as documented, Datadog cannot guarantee FIPS compliance. Correct configuration includes having your Datadog Agent configured to communicate to the Datadog Agent FIPS Proxy by setting the `fips.enabled` option, and having a running Datadog Agent FIPS Proxy. - -### Communication between the Agent and the FIPS Proxy - -The Datadog Agent FIPS Proxy only secures communication originating from the Agent targeting the Datadog intake API endpoints. This means that other forms of communication terminating at the Agent or originating from the Agent are not made FIPS-compliant by this solution. - -### Communication between the Cluster Agent and Node Agents - -The Datadog Agent FIPS Proxy only secures communication originating from the Cluster Agent targeting the Datadog intake API endpoints. This means that other forms of communication terminating at the Cluster Agent or originating from the Cluster Agent are not made FIPS-compliant by this solution. - -### Release versions - -Datadog Agent FIPS Proxy releases are decoupled from Datadog Agent releases. Use the latest versions of both the Datadog Agent and Datadog Agent FIPS Proxy versions to ensure the Datadog Agent and FIPS proxy support all available products. - -## Troubleshooting a host or VM installation - -To troubleshoot the Datadog Agent FIPS Proxy, verify the following: -- The Datadog Agent and Datadog Agent FIPS Proxy are running. -- The Datadog Agent can communicate with the Datadog Agent FIPS Proxy. -- The Datadog Agent FIPS Proxy can communicate with Datadog intake endpoints. - -### Check the proxy status - -To get information about the state of the Datadog Agent FIPS Proxy, run the following command: - -```shell -sudo systemctl status datadog-fips-proxy -``` - -If the proxy is running, the output should look similar to the following: -```text -- datadog-fips-proxy.service - Datadog FIPS Proxy - Loaded: loaded - (/lib/systemd/system/datadog-fips-proxy.service; - enabled; vendor preset: enabled) - Active: active (running) since Tue 2022-07-19 16:21:15 UTC; 1min 6s ago -``` - -If the proxy status is `inactive (dead)`, launch the Datadog Agent FIPS Proxy: - -```shell -sudo systemctl start datadog-fips-proxy -``` - -If the proxy status is `failed`, the Datadog Agent FIPS Proxy could not be launched due to an error. Run the following command and search the proxy logs for errors: - -```shell -sudo journalctl -u datadog-fips-proxy --no-pager -``` - -### Proxy cannot bind socket - -If the proxy logs show a `bind socket` error, the proxy is trying to use a port that is already in use on the host. The Datadog Agent FIPS Proxy uses the TCP port range from 9803 up to and including 9818. Ports in this range must be available on the host and not used by other services. - -In the following example, the Datadog Agent FIPS Proxy is unable to bind a socket on port `9804` because the port is already in use: - -```text -[ALERT] (4518) : Starting frontend metrics-forwarder: cannot bind socket (Address already in use) [0.0.0.0:9804] -[ALERT] (4518) : [/opt/datadog-fips-proxy/embedded/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting. -``` - -### Agent is unable to connect to the proxy - -To check for network issues, check the logs at `/var/log/datadog/agent.log`, or run: - -```shell -datadog-agent diagnose --include connectivity-datadog-core-endpoints -# For Agent version < 7.48, run the following command: -# datadog-agent diagnose datadog-connectivity -``` - -Look for errors such as: -```text -connect: connection refused, context deadline exceeded (Client.Timeout exceeded while awaiting headers), or connection reset by peer -``` - -- Follow the steps in [Check the proxy status](#check-the-proxy-status) to verify that the Datadog Agent FIPS Proxy is running. -- Verify that the port range from the proxy matches the one from the Agent. - -If the proxy is running and the port range is correct, a local firewall on the machine may be blocking the Agent's access to the proxy. Set your firewall to allow connections to TCP ports from 9804 to 9818. - -You can use `curl` to verify that the proxy is accessible: - -```shell -curl http://localhost:9804/ -``` - -For further assistance, see [Agent Troubleshooting][3]. - -### Datadog Agent FIPS Proxy is unable to connect to Datadog intake - -If there are HTTP errors such as `502`, `503`, or if the proxy returns an empty response, the Datadog Agent FIPS Proxy might not be able to forward traffic to the Datadog backend. - -Verify the Datadog Agent FIPS Proxy logs with: - -```shell -sudo journalctl -u datadog-fips-proxy --no-pager -``` - -Check the logs for errors such as: - -```text -haproxy[292759]: [WARNING] (292759) : Server -datadog-api/mothership3 is DOWN, reason: Layer4 timeout, vcheck duration: 2000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. -[ALERT] (292759) : backend 'datadog-api' has no server available! -``` - -or - -```text -haproxy[1808]: [WARNING] (1808) : Server -datadog-metrics/mothership2 is DOWN, reason: Layer4 -connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 -sessions active, 0 requeued, 0 remaining in queue. -haproxy[1808]: [ALERT] (1808) : backend 'datadog-metrics' has no server available! -``` - -These errors indicate that the Datadog Agent FIPS Proxy is not able to contact backend systems, possibly due to being blocked by a firewall or due to another network issue. Datadog Agent FIPS Proxy requires internet access to the Datadog intake endpoints. You can find the IP addresses for these endpoints [through the API][4]. - -For more information about outbound connections from the Agent, see the [Network Traffic][5] guide. - -### Name resolver configuration for the FIPS Proxy -Replace `:` with the appropriate DNS Server IP addresses and port for your network. These IP addresses must correspond to your designated name resolver servers to maintain proper functionality and ensure accurate domain name resolution. In the `datadog-fips-proxy.cfg` configuration file, locate the section listed below and configure your DNS accordingly: -``` -# This section is to reload DNS Records - -# Replace these addresses with your DNS Server IP addresses. - -resolvers my-dns - - parse-resolv-conf - - nameserver dns1 : - - nameserver dns2 : -``` - -If you're still unsure about your issue, contact [Datadog support][6]. - ## Further reading {{< partial name="whats-next/whats-next.html" >}} -[1]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 -[2]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf -[3]: /agent/troubleshooting/ -[4]: https://ip-ranges.ddog-gov.com/ -[5]: /agent/configuration/network/#destinations -[6]: /help/ +[2]: /agent/configuration/fips-compliance/ +[3]: /integrations/guide/fips-integrations \ No newline at end of file diff --git a/content/en/agent/faq/_index.md b/content/en/agent/faq/_index.md index 015fe68638221..41a47663d2c7b 100644 --- a/content/en/agent/faq/_index.md +++ b/content/en/agent/faq/_index.md @@ -27,4 +27,6 @@ aliases: {{< nextlink href="agent/faq/docker-hub" >}}Docker Hub{{< /nextlink >}} {{< nextlink href="agent/faq/proxy_example_haproxy" >}}Send traffix to Datadog using HAProxy{{< /nextlink >}} {{< nextlink href="agent/faq/proxy_example_nginx" >}}Send traffix to Datadog using NGINX{{< /nextlink >}} + {{< nextlink href="agent/faq/fips_proxy" >}}Agent FIPS proxy (deprecated){{< /nextlink >}} + {{< /whatsnext >}} diff --git a/content/en/agent/faq/fips_proxy.md b/content/en/agent/faq/fips_proxy.md new file mode 100644 index 0000000000000..2fc0b8e321c54 --- /dev/null +++ b/content/en/agent/faq/fips_proxy.md @@ -0,0 +1,358 @@ +--- +title: Agent FIPS proxy (deprecated) +disable_toc: false +private: true +further_reading: +- link: "/agent/fips-compliance" + tag: "Documentation" + text: "FIPS Compliance" +--- + +
The Datadog FIPS Proxy is no longer the recommended solution for FIPS-compliant encryption of the Datadog Agent. Use the Datadog FIPS Agent instead.
+ +{{< site-region region="us,us3,us5,eu,ap1" >}} +
The Datadog Agent FIPS Proxy is available only in the US1-FED region.
+{{< /site-region >}} + +The Datadog Agent FIPS Proxy ensures that communication between the Datadog Agent and Datadog uses FIPS-compliant encryption. + +The Datadog Agent FIPS Proxy is a separately distributed component that you deploy on the same host as the Datadog Agent. The proxy acts as an intermediary between the Agent and Datadog intake. The Agent communicates with the Datadog Agent FIPS Proxy, which encrypts payloads using a FIPS 140-2 validated cryptography and relays the payloads to Datadog. The Datadog Agent and the Agent FIPS Proxy must be configured in tandem to communicate with one another. + +
FIPS compliance is not retained if the Datadog Agent FIPS Proxy and the Datadog Agent are not on the same host. +
Similarly, FIPS compliance is not retained if the fips.enabled option is not set to true in datadog.yaml.
+ +## Supported platforms and limitations + +The Datadog Agent FIPS Proxy's compliance is based on its use of the FIPS 140-2 validated [Cryptographic Module - Certificate #4282][1]. See the related [security policy][2] for information about validated operating environments and restrictions. + +**It is your responsibility to ensure operating environment compliance with the security policy and wider FIPS guidance.** + +Supported platforms: + +||| +| --- | ----------- | +| Bare metal and VMs | RHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12| +| Cloud and container| Amazon ECS
AWS EKS (Helm)| + +Supported products (Agent 7.45+): + +- Metrics +- Logs +- APM traces +- APM profiles +- Processes +- Orchestrator Explorer +- Runtime Security + +The Datadog Agent FIPS Proxy does **not** support the following: + +- Serverless Monitoring +- Communication between Cluster Agent and Node Agents +- Agent integrations +- Outbound communication to anything other than GovCloud + +## Prerequisites + +- TCP port range available: 9803 to 9818 +- Datadog Agent >= v7.41 + +## Install the Agent with FIPS support + +{{< tabs >}} +{{% tab "Host or VM" %}} + +### Install the Agent on a new host + +To install the Datadog Agent with the Datadog Agent FIPS Proxy, add `DD_FIPS_MODE=1` to the one-step install instructions on the [Datadog Agent Integration][1] page. For example: + +```shell +DD_API_KEY= \ +DD_SITE="ddog-gov.com" \ +DD_FIPS_MODE=1 \ +bash -c "$(curl -L \ + https://install.datadoghq.com/scripts/install_script_agent7.sh)" +``` + +Setting the `DD_FIPS_MODE` environment variable installs the FIPS package along with the Agent, and configures the Agent to use the proxy. There are no additional configuration steps if you're using this method, but you should [verify the installation](#verify-your-installation). + +### Add the Datadog Agent FIPS proxy to an existing Agent + +Follow the steps below to add the Datadog Agent FIPS proxy to an existing Agent installation. + +#### Install the Datadog Agent FIPS Proxy package + +1. Run the following commands to install the Datadog Agent FIPS Proxy: + + Debian: + ```shell + apt-get update && apt-get install datadog-fips-proxy + ``` + RHEL and Fedora: + ```shell + yum makecache && yum install datadog-fips-proxy + ``` + SLES: + ```shell + zypper refresh datadog && zypper install datadog-fips-proxy + ``` + +1. The first time you perform an upgrade, copy the example configuration file to the appropriate location and restart the proxy. You do not need to copy the configuration in subsequent upgrades unless there are significant changes in the upstream proxy configuration: + ```shell + sudo cp /etc/datadog-fips-proxy/datadog-fips-proxy.cfg.example \ + /etc/datadog-fips-proxy/datadog-fips-proxy.cfg + sudo chown dd-agent:dd-agent \ + /etc/datadog-fips-proxy/datadog-fips-proxy.cfg + sudo chmod 640 /etc/datadog-fips-proxy/datadog-fips-proxy.cfg + sudo systemctl restart datadog-fips-proxy + ``` + +#### Configure the Agent to use the Datadog Agent FIPS proxy + +The Datadog Agent FIPS Proxy package comes pre-configured for use with the US1-FED datacenter. If you're upgrading an existing Datadog Agent, you **must** configure the Agent to use the proxy. + +To configure the Agent to use the proxy, set `fips.enabled` to `true` and `fips.https` to `false` in the [Agent configuration file][2]: + +```yaml +fips: + enabled: true + https: false +``` + +The `fips` setting is available in Agent versions >= 7.41. When the setting is enabled, the Datadog Agent redirects all of its communications to the Datadog Agent FIPS Proxy for supported products. This setting ignores custom URL options, such as `dd_url`. + +The `https` option is set to `false` because the Agent uses HTTP to communicate with the proxy. The Datadog Agent FIPS Proxy runs on the same host as the Agent and relies on the host's security for protection of that communication. + +**Host security and hardening are your responsibilities.** + +
The fips.enabled setting defaults to false in the Agent. It must be set to true to ensure all communications are forwarded through the Datadog Agent FIPS Proxy.

If fips.enabled is not set to true, the Agent is not FIPS Compliant.
+ +### Verify your installation + +Verify that metrics, traces, and logs are correctly reported in the app. + +For metrics, run the connectivity diagnostic command and verify that all checks pass: + +```shell +sudo -u dd-agent datadog-agent diagnose --include connectivity-datadog-core-endpoints +# For Agent version < 7.48, run the following command: +# sudo -u dd-agent datadog-agent diagnose datadog-connectivity +``` + +If you don't see metrics, traces, or logs reported in the app, see the [Troubleshooting](#troubleshooting-a-bare-metal-or-vm-installation) section. + +### View logs + +```shell +sudo journalctl -u datadog-fips-proxy +``` + +#### journald logs configuration + +If you use [Log Management][3] and want to send the Datadog Agent FIPS Proxy logs to Datadog, set up the Datadog Agent to read logs from journald. + +1. In the Agent's [configuration file][2], set `logs_enabled` to `true` to activate the Logs Agent. In the [configuration directory][4], create a file at `fips_proxy.d/conf.yaml` with the following content: + + ```yaml + logs: + - type: journald + source: datadog-fips-proxy + include_units: + - datadog-fips-proxy.service + ``` + +1. Make sure that the `dd-agent` user is in the `systemd-journal` group. For more information, see the [journald integration][5] documentation. +1. [Restart the Agent][6]. + +[1]: https://app.datadoghq.com/account/settings/agent/latest +[2]: /agent/configuration/agent-configuration-files/#agent-main-configuration-file +[3]: /logs/ +[4]: /agent/configuration/agent-configuration-files/#agent-configuration-directory +[5]: /integrations/journald/#configuration +[6]: /agent/configuration/agent-commands/#start-stop-and-restart-the-agent +{{% /tab %}} + +{{% tab "Helm on Amazon EKS" %}} +Set the following values in your `values.yaml` file: + +```yaml +fips: + enabled: true + use_https: false +``` + +The `fips` setting is available in Agent versions >= 7.41. When the setting is enabled, the Datadog Agent redirects all of its communications to the Datadog Agent FIPS Proxy for supported products. This setting ignores custom URL options, such as `dd_url`. + +The `use_https` option is set to `false` because the Agent uses HTTP to communicate with the proxy. The Datadog Agent FIPS Proxy runs on the same host as the Datadog Agent and relies on the host's security for protection of that communication. + +**Host security and hardening are your responsibilities.** + +
The fips.enabled setting defaults to false in the Agent. It must be set to true to ensure all communications are forwarded through the Datadog Agent FIPS Proxy.

If fips.enabled is not set to true, the Agent is not FIPS Compliant.
+ + +{{% /tab %}} + +{{% tab "Amazon ECS" %}} + +For instructions on installing the FIPS proxy on Amazon ECS, see [FIPS proxy for GOVCLOUD environments][1]. + +[1]: /containers/amazon_ecs/#fips-proxy-for-govcloud-environments +{{% /tab %}} + +{{< /tabs >}} + +## Security and hardening + +You, the Datadog customer, are responsible for **host** security and hardening. + +Security considerations: +- While the Datadog images provided are constructed with security in mind, they have not been evaluated against CIS benchmark recommendations or DISA STIG standards. +- If you rebuild, reconfigure, or modify the Datadog Agent FIPS Proxy to fit your deployment or testing needs, you might end up with a technically working setup, but Datadog cannot guarantee FIPS compliance if the Datadog Agent FIPS Proxy is not used exactly as explained in the documentation. +- If you did not follow the installation steps listed above exactly as documented, Datadog cannot guarantee FIPS compliance. Correct configuration includes having your Datadog Agent configured to communicate to the Datadog Agent FIPS Proxy by setting the `fips.enabled` option, and having a running Datadog Agent FIPS Proxy. + +### Communication between the Agent and the FIPS Proxy + +The Datadog Agent FIPS Proxy only secures communication originating from the Agent targeting the Datadog intake API endpoints. This means that other forms of communication terminating at the Agent or originating from the Agent are not made FIPS-compliant by this solution. + +### Communication between the Cluster Agent and Node Agents + +The Datadog Agent FIPS Proxy only secures communication originating from the Cluster Agent targeting the Datadog intake API endpoints. This means that other forms of communication terminating at the Cluster Agent or originating from the Cluster Agent are not made FIPS-compliant by this solution. + +### Release versions + +Datadog Agent FIPS Proxy releases are decoupled from Datadog Agent releases. Use the latest versions of both the Datadog Agent and Datadog Agent FIPS Proxy versions to ensure the Datadog Agent and FIPS proxy support all available products. + +## Troubleshooting a host or VM installation + +To troubleshoot the Datadog Agent FIPS Proxy, verify the following: +- The Datadog Agent and Datadog Agent FIPS Proxy are running. +- The Datadog Agent can communicate with the Datadog Agent FIPS Proxy. +- The Datadog Agent FIPS Proxy can communicate with Datadog intake endpoints. + +### Check the proxy status + +To get information about the state of the Datadog Agent FIPS Proxy, run the following command: + +```shell +sudo systemctl status datadog-fips-proxy +``` + +If the proxy is running, the output should look similar to the following: +```text +- datadog-fips-proxy.service - Datadog FIPS Proxy + Loaded: loaded + (/lib/systemd/system/datadog-fips-proxy.service; + enabled; vendor preset: enabled) + Active: active (running) since Tue 2022-07-19 16:21:15 UTC; 1min 6s ago +``` + +If the proxy status is `inactive (dead)`, launch the Datadog Agent FIPS Proxy: + +```shell +sudo systemctl start datadog-fips-proxy +``` + +If the proxy status is `failed`, the Datadog Agent FIPS Proxy could not be launched due to an error. Run the following command and search the proxy logs for errors: + +```shell +sudo journalctl -u datadog-fips-proxy --no-pager +``` + +### Proxy cannot bind socket + +If the proxy logs show a `bind socket` error, the proxy is trying to use a port that is already in use on the host. The Datadog Agent FIPS Proxy uses the TCP port range from 9803 up to and including 9818. Ports in this range must be available on the host and not used by other services. + +In the following example, the Datadog Agent FIPS Proxy is unable to bind a socket on port `9804` because the port is already in use: + +```text +[ALERT] (4518) : Starting frontend metrics-forwarder: cannot bind socket (Address already in use) [0.0.0.0:9804] +[ALERT] (4518) : [/opt/datadog-fips-proxy/embedded/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting. +``` + +### Agent is unable to connect to the proxy + +To check for network issues, check the logs at `/var/log/datadog/agent.log`, or run: + +```shell +datadog-agent diagnose --include connectivity-datadog-core-endpoints +# For Agent version < 7.48, run the following command: +# datadog-agent diagnose datadog-connectivity +``` + +Look for errors such as: +```text +connect: connection refused, context deadline exceeded (Client.Timeout exceeded while awaiting headers), or connection reset by peer +``` + +- Follow the steps in [Check the proxy status](#check-the-proxy-status) to verify that the Datadog Agent FIPS Proxy is running. +- Verify that the port range from the proxy matches the one from the Agent. + +If the proxy is running and the port range is correct, a local firewall on the machine may be blocking the Agent's access to the proxy. Set your firewall to allow connections to TCP ports from 9804 to 9818. + +You can use `curl` to verify that the proxy is accessible: + +```shell +curl http://localhost:9804/ +``` + +For further assistance, see [Agent Troubleshooting][3]. + +### Datadog Agent FIPS Proxy is unable to connect to Datadog intake + +If there are HTTP errors such as `502`, `503`, or if the proxy returns an empty response, the Datadog Agent FIPS Proxy might not be able to forward traffic to the Datadog backend. + +Verify the Datadog Agent FIPS Proxy logs with: + +```shell +sudo journalctl -u datadog-fips-proxy --no-pager +``` + +Check the logs for errors such as: + +```text +haproxy[292759]: [WARNING] (292759) : Server +datadog-api/mothership3 is DOWN, reason: Layer4 timeout, vcheck duration: 2000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (292759) : backend 'datadog-api' has no server available! +``` + +or + +```text +haproxy[1808]: [WARNING] (1808) : Server +datadog-metrics/mothership2 is DOWN, reason: Layer4 +connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 +sessions active, 0 requeued, 0 remaining in queue. +haproxy[1808]: [ALERT] (1808) : backend 'datadog-metrics' has no server available! +``` + +These errors indicate that the Datadog Agent FIPS Proxy is not able to contact backend systems, possibly due to being blocked by a firewall or due to another network issue. Datadog Agent FIPS Proxy requires internet access to the Datadog intake endpoints. You can find the IP addresses for these endpoints [through the API][4]. + +For more information about outbound connections from the Agent, see the [Network Traffic][5] guide. + +### Name resolver configuration for the FIPS Proxy +Replace `:` with the appropriate DNS Server IP addresses and port for your network. These IP addresses must correspond to your designated name resolver servers to maintain proper functionality and ensure accurate domain name resolution. In the `datadog-fips-proxy.cfg` configuration file, locate the section listed below and configure your DNS accordingly: +``` +# This section is to reload DNS Records + +# Replace these addresses with your DNS Server IP addresses. + +resolvers my-dns + + parse-resolv-conf + + nameserver dns1 : + + nameserver dns2 : +``` + +If you're still unsure about your issue, contact [Datadog support][6]. + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 +[2]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf +[3]: /agent/troubleshooting/ +[4]: https://ip-ranges.ddog-gov.com/ +[5]: /agent/configuration/network/#destinations +[6]: /help/ diff --git a/content/en/agent/guide/_index.md b/content/en/agent/guide/_index.md index 0557dc2ed788d..5e2fd44af2890 100644 --- a/content/en/agent/guide/_index.md +++ b/content/en/agent/guide/_index.md @@ -15,7 +15,6 @@ cascade: {{< nextlink href="agent/guide/ansible_standalone_role/" >}}Set up Ansible Using a Standalone Datadog Role{{< /nextlink >}} {{< nextlink href="agent/guide/how-do-i-uninstall-the-agent" >}}How do I uninstall the Agent?{{< /nextlink >}} {{< nextlink href="agent/guide/linux-key-rotation-2024" >}}Linux key rotation 2024{{< /nextlink >}} - {{< nextlink href="agent/guide/fips-agent" >}}Install and configure the FIPS Agent{{< /nextlink >}} {{< /whatsnext >}} diff --git a/content/en/agent/guide/fips-agent.md b/content/en/agent/guide/fips-agent.md deleted file mode 100644 index dbe5eed39fe83..0000000000000 --- a/content/en/agent/guide/fips-agent.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Datadog FIPS Agent -further_reading: -- link: "/agent/configuration/fips-compliance" - tag: "Documentation" - text: "Datadog FIPS Compliance" -- link: "integrations/guide/fips-integrations" - tag: "Documentation" - text: "FIPS Verified Agent Integrations" -algolia: - rank: 80 - tags: ["fips", "fips proxy", "compliance", "fedramp", "govcloud"] ---- - -{{< site-region region="us,us3,us5,eu,ap1" >}} -
The FIPS Agent is available only in the US1-FED region.
-{{< /site-region >}} - -The FIPS Agent is a flavor of the Datadog Agent that natively supports Federal Information Processing Standards (FIPS) compliance. The FIPS Agent replaces the [FIPS proxy][2] and includes limited support for integrations that need to collect observability data that is external to the host. - -## Requirements - -**Linux:** - - A non-containerized Linux host. - - Your Linux OS must be in FIPS-compliant mode. See your OS vendor's documentation on what steps are required to meet this requirement. - - FIPS-compliant storage backing the host file system. - -**Windows:** - - A non-containerized Windows host. - - Windows must be in [FIPS-compliant mode][1]. - - FIPS-compliant storage backing the host file system. - -In addition to the Operating System (OS) requirements above: -- You must have access to a FIPS-compliant Datadog environment (US1-FED). -- The FIPS Agent is only available on Agent versions 7.63 and above. - -## Installation - -{{< tabs >}} -{{% tab "Linux" %}} - -The Datadog FIPS Agent is in Preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. - -1. Remove any `fips-proxy` installations on the host by uninstalling the `datadog-fips-proxy` package with your OS package manager. For example: - - **Red Hat** - ```sh - sudo yum remove datadog-fips-proxy - ``` - **Ubuntu/Debian** - ```sh - sudo apt-get remove datadog-fips-proxy - ``` -1. Ensure that the Agent's configuration file does not contain any [FIPS proxy][2] settings. FIPS proxy settings use the `fips.*` prefix. -1. Use the [instructions for your OS][3] to uninstall the Datadog Agent. -1. Install the Agent with FIPS support. - - **Note:** FIPS support is only available on Agent versions 7.63.0 and above: - 1. If you're using the Agent install script, specify the `DD_AGENT_FLAVOR="datadog-fips-agent"` environment variable in your installation command. For example: - - ```sh - DD_SITE="ddog-gov.com" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)" - ``` - 1. If you're installing with a package, [follow the instructions][4] to install the latest `datadog-fips-agent` package available for your platform. - 1. Add `GOFIPS=1` to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (`datadog-agent.service`). For example, if your host is using systemd: - - ```sh - echo "GOFIPS=1" | sudo tee -a /etc/datadog-agent/environment - systemctl daemon-reload - systemctl restart 'datadog-agent*' - ``` - 1. Run the `datadog-agent status` command and make sure you see `FIPS Mode: enabled` in the status output. - - {{< img src="/agent/fips-linux.png" alt="Your image description" style="width:100%;" >}} - -[2]: /agent/configuration/fips-compliance/ -[3]: /agent/guide/how-do-i-uninstall-the-agent/ -[4]: /agent/guide/installing-the-agent-on-a-server-with-limited-internet-connectivity/ -{{% /tab %}} - -{{% tab "Windows" %}} - -The Datadog FIPS Agent is in preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. - -1. Follow the [Windows instructions][1] to uninstall the Datadog Agent. -1. Run the command below to install the FIPS Agent, replacing `DATADOG_API_KEY` with your API key: - - **Note:** FIPS support is only available on Agent versions 7.63.0 and above: - - {{< code-block lang="powershell" >}} -$p = Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /i https://windows-agent.datadoghq.com/datadog-fips-agent-7.64.3.msi /log C:\Windows\SystemTemp\install-datadog.log APIKEY="" SITE="ddog-gov.com"' -if ($p.ExitCode -ne 0) { - Write-Host "msiexec failed with exit code $($p.ExitCode) please check the logs at C:\Windows\SystemTemp\install-datadog.log" -ForegroundColor Red -} -{{< /code-block >}} - - To install a different preview version of the FIPS Agent, search the [list of stable Agent versions][2] for `datadog-fips-agent` and replace the MSI in the command above with your desired version. - -1. Run the Agent `status` command and make sure you see `FIPS Mode: enabled` in the status output. - - ```powershell - & "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" status - ``` - - {{< img src="/agent/fips-powershell.png" alt="Your image description" style="width:100%;" >}} - - -**Note**: The program name for the FIPS Agent in **Add or Remove Programs** is "Datadog FIPS Agent." - -[1]: /agent/basic_agent_usage/windows/#uninstall-the-agent -[2]: https://windows-agent.datadoghq.com/installers_v2.json - -{{% /tab %}} -{{< /tabs >}} - -## Further reading - -{{< partial name="whats-next/whats-next.html" >}} - -[1]: https://learn.microsoft.com/en-us/windows/security/security-foundations/certification/fips-140-validation -[2]: /agent/configuration/fips-compliance/ -[3]: /integrations/guide/fips-integrations - From 8b1ae7ee977db2c79e86518fe3fee7b73c3f2ca2 Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Tue, 6 May 2025 12:01:48 -0700 Subject: [PATCH 2/8] Fix links --- content/en/agent/faq/fips_proxy.md | 4 ++-- content/en/integrations/guide/fips-integrations.md | 5 +---- content/en/integrations/guide/jmxfetch-fips.md | 4 ++-- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/content/en/agent/faq/fips_proxy.md b/content/en/agent/faq/fips_proxy.md index 2fc0b8e321c54..67db5922354b7 100644 --- a/content/en/agent/faq/fips_proxy.md +++ b/content/en/agent/faq/fips_proxy.md @@ -3,12 +3,12 @@ title: Agent FIPS proxy (deprecated) disable_toc: false private: true further_reading: -- link: "/agent/fips-compliance" +- link: "/agent/configuration/fips-compliance" tag: "Documentation" text: "FIPS Compliance" --- -
The Datadog FIPS Proxy is no longer the recommended solution for FIPS-compliant encryption of the Datadog Agent. Use the Datadog FIPS Agent instead.
+
The Datadog FIPS Proxy is no longer the recommended solution for FIPS-compliant encryption of the Datadog Agent. Use the Datadog FIPS Agent instead.
{{< site-region region="us,us3,us5,eu,ap1" >}}
The Datadog Agent FIPS Proxy is available only in the US1-FED region.
diff --git a/content/en/integrations/guide/fips-integrations.md b/content/en/integrations/guide/fips-integrations.md index f9eb5a5aa3f54..8a202fe0b9a6a 100644 --- a/content/en/integrations/guide/fips-integrations.md +++ b/content/en/integrations/guide/fips-integrations.md @@ -4,15 +4,12 @@ further_reading: - link: "/agent/configuration/fips-compliance" tag: "Documentation" text: "Datadog FIPS Compliance" -- link: "agent/guide/fips-agent" - tag: "Documentation" - text: "Datadog FIPS Agent" algolia: rank: 80 tags: ["fips", "compliance", "fedramp", "govcloud"] --- {{< callout url="" btn_hidden="true" header="Try the FIPS Agent Preview!">}} -A FIPS flavor of the Datadog Agent is in Preview. For more information, see FIPS Agent. +A FIPS flavor of the Datadog Agent is in Preview. For more information, see FIPS Agent. {{< /callout >}} {{< site-region region="us,us3,us5,eu,ap1" >}} diff --git a/content/en/integrations/guide/jmxfetch-fips.md b/content/en/integrations/guide/jmxfetch-fips.md index d96c108c274f8..9866b4a767a22 100644 --- a/content/en/integrations/guide/jmxfetch-fips.md +++ b/content/en/integrations/guide/jmxfetch-fips.md @@ -14,7 +14,7 @@ JMXFetch supports FIPS-140 compliant JVM configurations. It uses the default JSS {{% tab "Host" %}} - JVM configured to run in FIPS mode. -- [Datadog FIPS Agent](/agent/guide/fips-agent/) installed on the host. +- [Datadog FIPS Agent](/agent/configuration/fips-compliance) installed on the host. - Appropriate TLS/SSL certificates if encrypted JMX connection is required. **Note**: The Datadog Agent host installation does not include Java runtime. You must install and configure Java in FIPS-approved mode separately. @@ -23,7 +23,7 @@ JMXFetch supports FIPS-140 compliant JVM configurations. It uses the default JSS {{% tab "Containers" %}} -- [Datadog FIPS Agent](/agent/guide/fips-agent/) Docker image with JMX support. +- [Datadog FIPS Agent](/agent/configuration/fips-compliance) Docker image with JMX support. - Appropriate TLS/SSL certificates if encrypted JMX connection is required. (Private keys must be generated with the `keytool` utility provided in the container. See [Generating certificates](#generating-certificates) for more details.) From 2640b62f5a09ee31601b4475ea72967821690a73 Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Tue, 6 May 2025 13:59:09 -0700 Subject: [PATCH 3/8] Edits from review --- content/en/agent/faq/fips_proxy.md | 2 +- content/en/integrations/guide/fips-integrations.md | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/content/en/agent/faq/fips_proxy.md b/content/en/agent/faq/fips_proxy.md index 67db5922354b7..9566c296239ed 100644 --- a/content/en/agent/faq/fips_proxy.md +++ b/content/en/agent/faq/fips_proxy.md @@ -1,5 +1,5 @@ --- -title: Agent FIPS proxy (deprecated) +title: Agent FIPS proxy disable_toc: false private: true further_reading: diff --git a/content/en/integrations/guide/fips-integrations.md b/content/en/integrations/guide/fips-integrations.md index 8a202fe0b9a6a..9ba1b98e5d760 100644 --- a/content/en/integrations/guide/fips-integrations.md +++ b/content/en/integrations/guide/fips-integrations.md @@ -8,15 +8,14 @@ algolia: rank: 80 tags: ["fips", "compliance", "fedramp", "govcloud"] --- -{{< callout url="" btn_hidden="true" header="Try the FIPS Agent Preview!">}} -A FIPS flavor of the Datadog Agent is in Preview. For more information, see FIPS Agent. -{{< /callout >}} {{< site-region region="us,us3,us5,eu,ap1" >}} -
The Datadog Agent FIPS Proxy is available only in the US1-FED region.
+
The Datadog FIPS Agent is available only in the US1-FED region.
{{< /site-region >}} + ## Overview -As part of the FedRAMP High effort, a number of integrations have been verified for **FIPS 140-2** compliance. Integrations that are not mentioned below may function in compliance with FIPS 140-2 but have not been tested internally. + +As part of the FedRAMP High effort, several integrations have been verified for **FIPS 140-2** compliance. Integrations that are not mentioned below may function in compliance with FIPS 140-2 but have not been tested internally. This guide is for customers that require FIPS compliant services and use Datadog integrations. From d2578689a26bf281ec377d5934f0d85cde332974 Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Tue, 6 May 2025 14:32:52 -0700 Subject: [PATCH 4/8] Remove preview language --- content/en/agent/configuration/fips-compliance.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index 7e46915ff8ce2..716dda51cfa07 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -75,8 +75,6 @@ In addition to the Operating System (OS) requirements above: {{< tabs >}} {{% tab "Linux" %}} -The Datadog FIPS Agent is in Preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. - 1. Remove any `fips-proxy` installations on the host by uninstalling the `datadog-fips-proxy` package with your OS package manager. For example: **Red Hat** @@ -116,8 +114,6 @@ The Datadog FIPS Agent is in Preview and has not been fully audited. Install and {{% tab "Windows" %}} -The Datadog FIPS Agent is in preview and has not been fully audited. Install and test the Agent only on hosts that are not critical to production workloads. - 1. Follow the [Windows instructions][1] to uninstall the Datadog Agent. 1. Run the command below to install the FIPS Agent, replacing `DATADOG_API_KEY` with your API key: @@ -130,8 +126,6 @@ if ($p.ExitCode -ne 0) { } {{< /code-block >}} - To install a different preview version of the FIPS Agent, search the [list of stable Agent versions][2] for `datadog-fips-agent` and replace the MSI in the command above with your desired version. - 1. Run the Agent `status` command and make sure you see `FIPS Mode: enabled` in the status output. ```powershell From 9c44de20932121733003cd34041d7f19044bddc4 Mon Sep 17 00:00:00 2001 From: Heston Hoffman Date: Tue, 6 May 2025 16:47:28 -0700 Subject: [PATCH 5/8] Apply suggestions from code review Co-authored-by: Ida Adjivon <65119712+iadjivon@users.noreply.github.com> --- content/en/agent/faq/fips_proxy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/agent/faq/fips_proxy.md b/content/en/agent/faq/fips_proxy.md index 9566c296239ed..59117b7540bf3 100644 --- a/content/en/agent/faq/fips_proxy.md +++ b/content/en/agent/faq/fips_proxy.md @@ -49,7 +49,7 @@ The Datadog Agent FIPS Proxy does **not** support the following: - Serverless Monitoring - Communication between Cluster Agent and Node Agents - Agent integrations -- Outbound communication to anything other than GovCloud +- Outbound communication to anything other than the US1-FED region site ## Prerequisites @@ -204,7 +204,7 @@ For instructions on installing the FIPS proxy on Amazon ECS, see [FIPS proxy for You, the Datadog customer, are responsible for **host** security and hardening. -Security considerations: +**Security considerations:** - While the Datadog images provided are constructed with security in mind, they have not been evaluated against CIS benchmark recommendations or DISA STIG standards. - If you rebuild, reconfigure, or modify the Datadog Agent FIPS Proxy to fit your deployment or testing needs, you might end up with a technically working setup, but Datadog cannot guarantee FIPS compliance if the Datadog Agent FIPS Proxy is not used exactly as explained in the documentation. - If you did not follow the installation steps listed above exactly as documented, Datadog cannot guarantee FIPS compliance. Correct configuration includes having your Datadog Agent configured to communicate to the Datadog Agent FIPS Proxy by setting the `fips.enabled` option, and having a running Datadog Agent FIPS Proxy. From a643028dbad79b6e54224090843386b902eb545d Mon Sep 17 00:00:00 2001 From: Heston Hoffman Date: Tue, 6 May 2025 16:49:42 -0700 Subject: [PATCH 6/8] Update content/en/agent/faq/fips_proxy.md --- content/en/agent/faq/fips_proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/agent/faq/fips_proxy.md b/content/en/agent/faq/fips_proxy.md index 59117b7540bf3..68ad8f941e0d0 100644 --- a/content/en/agent/faq/fips_proxy.md +++ b/content/en/agent/faq/fips_proxy.md @@ -54,7 +54,7 @@ The Datadog Agent FIPS Proxy does **not** support the following: ## Prerequisites - TCP port range available: 9803 to 9818 -- Datadog Agent >= v7.41 +- Datadog Agent >= v7.45 ## Install the Agent with FIPS support From 9480508f6ab9270c19ab79535bee4299c75768be Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Wed, 7 May 2025 08:43:46 -0700 Subject: [PATCH 7/8] Update version numbers --- content/en/agent/configuration/fips-compliance.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index 716dda51cfa07..0c2b4068c3dcd 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -14,7 +14,7 @@ further_reading: text: "Monitor highly regulated workloads with Datadog's FIPS-enabled Agent" algolia: rank: 80 - tags: ["fips", "fips proxy", "compliance", "fedramp", "govcloud"] + tags: ["fips", "fips proxy", "compliance", "fedramp", "govcloud", "fips agent"] --- {{< site-region region="us,us3,us5,eu,ap1" >}} @@ -32,7 +32,7 @@ Supported platforms: | Bare metal and VMs | RHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12
Windows Server >= 2016
Windows >= 10| | Cloud and container| Amazon ECS
AWS EKS (Helm)| -Supported products (Agent 7.45+): +Supported products (Agent 7.65.0 and above): - Metrics - Logs - APM traces @@ -68,7 +68,7 @@ The Datadog FIPS Agent does **not** support the following: In addition to the Operating System (OS) requirements above: - You must have access to a FIPS-compliant Datadog environment (US1-FED). -- The FIPS Agent is only available on Agent versions 7.63 and above. +- The FIPS Agent is only available on Agent versions 7.65.0 and above. ## Installation @@ -89,7 +89,7 @@ In addition to the Operating System (OS) requirements above: 1. Use the [instructions for your OS][3] to uninstall the Datadog Agent. 1. Install the Agent with FIPS support. - **Note:** FIPS support is only available on Agent versions 7.63.0 and above: + **Note:** FIPS support is only available on Agent versions 7.65.0 and above: 1. If you're using the Agent install script, specify the `DD_AGENT_FLAVOR="datadog-fips-agent"` environment variable in your installation command. For example: ```sh @@ -117,10 +117,10 @@ In addition to the Operating System (OS) requirements above: 1. Follow the [Windows instructions][1] to uninstall the Datadog Agent. 1. Run the command below to install the FIPS Agent, replacing `DATADOG_API_KEY` with your API key: - **Note:** FIPS support is only available on Agent versions 7.63.0 and above: + **Note:** FIPS support is only available on Agent versions 7.65.0 and above: {{< code-block lang="powershell" >}} -$p = Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /i https://windows-agent.datadoghq.com/datadog-fips-agent-7.64.3.msi /log C:\Windows\SystemTemp\install-datadog.log APIKEY="" SITE="ddog-gov.com"' +$p = Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /i https://windows-agent.datadoghq.com/datadog-fips-agent-7.65.0.msi /log C:\Windows\SystemTemp\install-datadog.log APIKEY="" SITE="ddog-gov.com"' if ($p.ExitCode -ne 0) { Write-Host "msiexec failed with exit code $($p.ExitCode) please check the logs at C:\Windows\SystemTemp\install-datadog.log" -ForegroundColor Red } From 84e5a50bfb958d4bc920790245d480b2c6db363e Mon Sep 17 00:00:00 2001 From: hestonhoffman Date: Tue, 13 May 2025 14:42:26 -0700 Subject: [PATCH 8/8] More edits --- .../en/agent/configuration/fips-compliance.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/content/en/agent/configuration/fips-compliance.md b/content/en/agent/configuration/fips-compliance.md index d04f406f155ed..3b19b6359b5cd 100644 --- a/content/en/agent/configuration/fips-compliance.md +++ b/content/en/agent/configuration/fips-compliance.md @@ -25,12 +25,16 @@ The FIPS Agent is a flavor of the Datadog Agent that natively supports Federal I ## Supported platforms and limitations +The FIPS Agent's compliance is based on its use of the FIPS 140-2 validated [Cryptographic Module - Certificate #4282][1]. See the related [security policy][2] for information about validated operating environments and restrictions. + +**It is your responsibility to ensure operating environment compliance with the security policy and wider FIPS guidance.** + Supported platforms: ||| | --- | ----------- | | Bare metal and VMs | RHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12
Windows Server >= 2016
Windows >= 10| -| Cloud and container| Amazon ECS
AWS EKS (Helm)| +| Cloud and container| Amazon ECS
AWS EKS (Helm)
Docker| Supported products (Agent 7.65.0 and above): - Metrics @@ -143,9 +147,20 @@ if ($p.ExitCode -ne 0) { {{% /tab %}} {{< /tabs >}} +## Security and hardening + +You, the Datadog customer, are responsible for **host** security and hardening. + +**Security considerations:** +- While the Datadog images provided are constructed with security in mind, they have not been evaluated against CIS benchmark recommendations or DISA STIG standards. +- If you rebuild, reconfigure, or modify the Datadog FIPS Agent to fit your deployment or testing needs, you might end up with a technically working setup, but Datadog cannot guarantee FIPS compliance if the Datadog FIPS Agent is not used exactly as explained in the documentation. +- If you did not follow the installation steps listed above exactly as documented, Datadog cannot guarantee FIPS compliance. + ## Further reading {{< partial name="whats-next/whats-next.html" >}} +[1]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 +[2]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf [2]: /agent/configuration/fips-compliance/ [3]: /integrations/guide/fips-integrations \ No newline at end of file