avni.ademi/bashgen
avni.ademi/bashgen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add FIPS-hardened Docker images feature to roadmap

Browse Source
This commit is contained in:
Avni Ademi 2026-01-27 19:38:58 +01:00
parent 40895c24cf
commit d5e08300f4
2 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
FEATURES.md
View File

@ -387,6 +387,111 @@ setup_compliance_reporting()
--- ---
## FIPS-Hardened Docker Images
### Overview
Add support for using FIPS 140-2 validated Docker images and configuring Docker to run in FIPS-compliant mode for environments requiring cryptographic compliance.
### Goals
- Configure Docker to use FIPS-validated cryptographic libraries
- Support for FIPS-hardened base images
- Ensure container runtime uses FIPS-compliant crypto
- Validate Docker daemon FIPS compliance
- Support for FIPS-validated container registries
### Proposed Implementation
#### Features to Include:
1. **Docker FIPS Configuration**
- Enable FIPS mode in Docker daemon
- Configure FIPS-validated cryptographic libraries
- Verify Docker engine FIPS compliance
- Set up FIPS-compliant TLS for Docker API
2. **FIPS-Hardened Base Images**
- Support for Red Hat UBI (Universal Base Image) FIPS images
- Support for FIPS-validated base images
- Image scanning for FIPS compliance
- Custom FIPS-hardened image building
3. **Container Runtime Security**
- Ensure containers use FIPS-validated crypto
- Configure containerd/runc for FIPS mode
- Validate container image signatures
- Enforce FIPS-approved algorithms only
4. **Image Registry Integration**
- Support for FIPS-compliant registries
- Image signing and verification
- FIPS compliance scanning
- Secure image pull/push
5. **Compliance Validation**
- Docker FIPS compliance checks
- Container image FIPS validation
- Runtime FIPS mode verification
- Compliance reporting
### UI Integration
Add to the web form:
- [ ] Enable FIPS-hardened Docker mode
- [ ] Select FIPS-validated base images
- [ ] Configure FIPS-compliant image registry
- [ ] Enable FIPS compliance scanning
- [ ] Set up image signing/verification
- [ ] Configure FIPS-validated TLS for Docker API
### Technical Considerations
#### Tools to Integrate:
- `docker` with FIPS-validated libraries
- `containerd` / `runc` (FIPS-compliant versions)
- Red Hat UBI FIPS images
- Image scanning tools (Trivy, Clair)
- Image signing tools (cosign, Notary)
#### FIPS Requirements:
- System must have FIPS mode enabled
- Docker daemon must use FIPS-validated OpenSSL
- Container runtime must use FIPS crypto modules
- Base images must be FIPS-validated (e.g., Red Hat UBI FIPS)
- Only FIPS-approved algorithms (AES-256, SHA-256, RSA, ECDSA)
#### Script Structure:
```bash
# Proposed function structure
enable_docker_fips_mode()
configure_fips_docker_daemon()
setup_fips_hardened_images()
validate_docker_fips_compliance()
configure_fips_image_registry()
scan_images_fips_compliance()
```
### Security Considerations
- Use only FIPS-validated cryptographic libraries
- Verify Docker daemon FIPS compliance
- Scan all container images for FIPS compliance
- Use signed and verified images only
- Enforce FIPS mode at container runtime
- Regular FIPS compliance audits
### FIPS-Validated Image Sources
- **Red Hat UBI FIPS** - FIPS-validated Universal Base Images
- **RHEL FIPS images** - Red Hat Enterprise Linux FIPS containers
- **Custom FIPS images** - Build from FIPS-validated base images
- **Third-party FIPS images** - From FIPS-compliant vendors
### Status
**Status:** Planned for future release
**Priority:** High (for FIPS-required environments)
**Estimated Complexity:** High
---
## Other Planned Features ## Other Planned Features
### Additional server setup options ### Additional server setup options

3
README.md
View File

@ -186,8 +186,9 @@ See [FEATURES.md](FEATURES.md) for a list of planned features and enhancements.
### Upcoming Features: ### Upcoming Features:
- 🔒 **Automated CVE-based Security Patching** - Monitor CVE databases and apply security patches automatically - 🔒 **Automated CVE-based Security Patching** - Monitor CVE databases and apply security patches automatically
- 🔐 **VPN Server Setup** - Configure WireGuard, OpenVPN, or IPSec VPN for organizations - 🔐 **VPN Server Setup** - Configure WireGuard, OpenVPN, or IPSec VPN for organizations (with FIPS 140-2 support)
- 🛡️ **Central SIEM Server** - Set up centralized Security Information and Event Management (ELK, Wazuh, Graylog) - 🛡️ **Central SIEM Server** - Set up centralized Security Information and Event Management (ELK, Wazuh, Graylog)
- 🐳 **FIPS-Hardened Docker Images** - Configure Docker with FIPS 140-2 validated images and crypto libraries
- 📊 **Enhanced Monitoring** - Integration with Prometheus, Grafana - 📊 **Enhanced Monitoring** - Integration with Prometheus, Grafana
- 🔐 **SSL/TLS Certificate Management** - Automated Let's Encrypt setup - 🔐 **SSL/TLS Certificate Management** - Automated Let's Encrypt setup
- 💾 **Backup Automation** - Automated backup solutions - 💾 **Backup Automation** - Automated backup solutions