This guide will walk through configuring Cribl Stream in FIPS mode when running on RHEL9 by leveraging the OpenSSL3 FIPS provider that is included when RHEL9 is running in FIPS mode. As of September 2024, the cryptographic modules of RHEL 9 are not yet FIPS 140-3 certified.
*** Prior to performing the below steps, please ensure that RHEL9 is running in FIPS mode. ***
Configure the Leader Node
As of version 4.7, RBAC is required to run Stream in FIPS mode. Before starting the Leader for the first time, the license needs to be applied and “mode-master” needs to be configured. In the example below, all commands are run as the 'root' user.
- Ensure that git (version 1.8.3.1 or higher) is installed on the host:
[root@rhel9-stig-leader-1 ec2-user]# git -v
git version 2.43.5
- If using fapolicy, follow the fapolicy configuration guide to trust the git core binary and create the rules policy.
- Create the Cribl user:
adduser cribl
- Change directory to /opt/ and then download and uncompress the Cribl binary. This example uses x64; modify as needed based on your specific architecture (see the download page for options):
cd /opt/
curl -Lso - $(curl https://cdn.cribl.io/dl/latest-x64) | tar zxv
- Use ONE of the below methods to create the licenses.yml file and add the license to the $CRIBL_HOME/local/cribl/ directory:
OPTION 1:
Set an environment variable $CRIBL_LICENSE that contains the value of the license key. Ensure that $CRIBL_HOME is also set and do:
if [ ! -e $CRIBL_HOME/local/cribl/licenses.yml ]; \
then mkdir -p $CRIBL_HOME/local/cribl; \
echo -e "licenses:\n- $CRIBL_LICENSE" > $CRIBL_HOME/local/cribl/licenses.yml; fi
OPTION 2:
Create a license.yml file based on this doc.
- Generate the FIPS configuration file using the directory /etc/pki/tls and then modify the generated file by replacing fipsmodule.cnf with fips_local.cnf.
/opt/cribl/bin/cribl generateFipsConf -d /etc/pki/tls
sed -i 's/fipsmodule.cnf/fips_local.cnf/g' $CRIBL_HOME/state/nodejs.cnf
- Configure Stream to start as a Leader in Distributed mode:
/opt/cribl/bin/cribl mode-master
- Change ownership for the cribl user to own the /opt/cribl directory:
chown -R cribl:cribl /opt/cribl
- Create an override.conf file that specifies the necessary FIPS environment variables. Run this command first and get the OPENSSLDIR value:
openssl version -a
Set the OPENSSL_MODULES value below to the OPENSSLDIR from the command above:
mkdir -p /etc/systemd/system/cribl.service.d/
cat <<EOL > /etc/systemd/system/cribl.service.d/override.conf
# Custom configurations for the service file
[Service]
Environment="OPENSSL_MODULES=<YOUR_VALUE_HERE>"
Environment="OPENSSL_CONF=/opt/cribl/state/nodejs.cnf"
Environment="CRIBL_FIPS=1"
EOL
- Enable Cribl to be managed by systemd:
/opt/cribl/bin/cribl boot-start enable -u cribl
- Start the Cribl service:
systemctl start cribl
Bootstapping a Worker
- Create a NodeJS configuration file at $CRIBL_HOME/state/nodejs.cnf. Copy one from the Leader. For STIGed RHEL 9, it will look like this:
mkdir -p /opt/cribl/state/
cat <<EOL > /opt/cribl/state/nodejs.cnf
nodejs_conf = nodejs_init
.include /etc/pki/tls/fips_local.cnf
[nodejs_init]
providers = provider_sect
# this tells nodejs to enable fips at startup
alg_section = algorithm_sect
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fips_local.cnf.
fips = fips_sect
[default_sect]
activate = 1
[algorithm_sect]
default_properties = fips=yes
EOL
- Create an override.conf file:
mkdir -p /etc/systemd/system/cribl.service.d/
cat <<EOL > /etc/systemd/system/cribl.service.d/override.conf
# Custom configurations for the service file
[Service]
Environment="OPENSSL_MODULES=/usr/lib64/ossl-modules"
Environment="OPENSSL_CONF=/opt/cribl/state/nodejs.cnf"
Environment="CRIBL_FIPS=1"
EOL
- Run the bootstrap command that was generated from the Leader:
curl 'http://rhel9-stig-leader-1:9000/init/install-worker.sh?group=default&token=XXXXXXuser=cribl&user_group=cribl&install_dir=%2Fopt%2Fcribl' | bash -
