| Key | Value |
|---|---|
| Summary | Use Landscape’s dashboard to identify manage machines with the Ubuntu Advantage FIPS entitlement enabled |
| Categories | landscape, fips, server |
| Difficulty | 1 |
| Author | Rajan Patel rajan.patel@canonical.com |
Overview
Duration: 3:00
In this tutorial, you will learn how to use Landscape’s dashboard for FIPS compliance on one, or many machines that have the Ubuntu Advantage FIPS entitlement enabled.
The Ubuntu Advantage client (UA Client) provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. UA client produces machine readable outputs and integrates with other Canonical, or third-party tooling. Beyond FIPS, UA Client can enable Ubuntu Advantage services, such as Extended Security Maintenance (ESM), Ubuntu Security Guide (USG), Livepatch, and more.
Landscape is Canonical’s systems management and monitoring solution. You will compose interactions with UA Client into a Landscape-aware shell script, and track which systems are configured to be FIPS certified, FIPS compliant, or lacking FIPS enablement entirely.
Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries that can also filter hardware and software metadata. These cross sections, regardless of size, can be monitored and managed as easily as one machine.
Prerequisites
Duration: 10:00
To complete this tutorial, you will need a machine running Ubuntu Pro. If you are not running Ubuntu Pro, any other supported Ubuntu LTS will work, provided it has the following:
- An Ubuntu One account
- An Ubuntu Advantage for Infrastructure subscription
- UA Client attached to your Ubuntu Advantage for Infrastructure subscription
- Landscape Client installed and registered with either Landscape on-prem or Landscape SaaS
- Landscape Client is allowed to remotely execute scripts
Obtain an Ubuntu Advantage for Infrastructure subscription
Anyone can use Ubuntu Advantage for Infrastructure for free on up to 3 machines.
Customers with larger needs can mix and match Ubuntu Advantage Essential, Standard, and Advanced subscription types within one Ubuntu Advantage account. All Ubuntu Advantage subscriptions come with certified cryptography modules for users interested in FIPS, and Landscape on-premises.
Visit ubuntu.com/advantage to create or sign in to your Ubuntu One account, and obtain an Ubuntu Advantage for Infrastructure subscription that matches your needs.
Attach UA Client to your Ubuntu Advantage account
Your UA token is used to connect the UA client you have installed on your machines to your Ubuntu Advantage for Infrastructure subscription.
Let’s first check whether you have already attached your UA token to the UA client by running:
ua status
The output will look like this:
SERVICE AVAILABLE DESCRIPTION
cc-eal no Common Criteria EAL2 Provisioning Packages
esm-infra yes UA Infra: Extended Security Maintenance (ESM)
fips yes NIST-certified core packages
fips-updates yes NIST-certified core packages with priority security updates
livepatch yes Canonical Livepatch service
usg yes Security compliance and audit tools
This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage
You can see that this is not yet attached to a UA subscription. Let’s fix that now.
Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.
The Ubuntu One account functions as a Single Sign On, so once logged in, you can type the address for the Ubuntu Advantage dashboard into the browser’s address bar: ubuntu.com/advantage. Then click on a subscription in the left hand column, and the Documentation tab on the right hand side column. Now you’re ready to attach your UA token to the UA client. Look for the copy and paste ready command to attach a machine, it will look similar to this:
sudo ua attach <your_ua_token>
Configure Landscape
The Landscape quickstart deployment guide offers the shortest path to a functional Landscape Server instance, and enrolling a machine to be managed by Landscape with Landscape Client. If you do not wish to install and maintain Landscape yourself, Canonical offers Landscape through a software as a service model, for any machine with an Ubuntu Advantage subscription.
Purchase Ubuntu Advantage
Eliminate the server installation step and relieve yourself of any maintenance activities to keep Landscape up to date with Landscape SaaS.
The Landscape Client steps from the quickstart deployment guide are accurate for both Landscape SaaS and Landscape on-premises users. During installation, Landscape Client will request permission for executing scripts remotely for all users.
Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.
Enable script execution? [y/N]:
Answering yes to the Enable script execution prompt is required for this tutorial to work successfully.
By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".
Script users: ALL
Answering ALL to the Script users prompt is not necessary to complete this tutorial. To be maximally useful, Landscape Client should be able to execute scripts with elevated privileges (such as root) on an as-needed basis. This tutorial will work if you restrict Script users to the landscape user, which is used by the Landscape Client.
Landscape scripts
Duration: 3:00
When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.
Add the “FIPS Certified - Enable” script
Title: FIPS Certified - Enable
Code:
#!/bin/bash
fipsenable() {
local FIPSENTITLEMENT
local FIPSENABLED
local UASTATUS
local UANOTATTACHED
UASTATUS=$(ua status)
UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
if [[ $UANOTATTACHED -eq 0 ]]; then
FIPSENTITLEMENT=$(echo "$UASTATUS" | grep -m 1 'fips ' | awk '{ print $2 }' | grep -c 'yes')
if [[ $FIPSENTITLEMENT -eq 1 ]]; then
ua enable fips --assume-yes
UASTATUS=$(ua status)
echo "'ua status' reports FIPS is $(servicestatus 'fips')"
shutdown -r 1 &
fi
fi
fipsannotations "$UASTATUS" "$UANOTATTACHED"
FIPSENABLED=$(servicestatus 'fips' | grep -c 'enabled')
if [[ $FIPSENABLED -eq 0 ]]; then
exit 1
fi
}
fipsannotations() {
if [[ $2 -eq 1 ]]; then
echo 'unavailable' > /var/lib/landscape/client/annotations.d/fips
echo 'unavailable' > /var/lib/landscape/client/annotations.d/fips-updates
else
servicestatus 'fips' > /var/lib/landscape/client/annotations.d/fips
servicestatus 'fips-updates' > /var/lib/landscape/client/annotations.d/fips-updates
fi
chown landscape: /var/lib/landscape/client/annotations.d/fips
chown landscape: /var/lib/landscape/client/annotations.d/fips-updates
}
servicestatus() {
echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
fipsenable
Run as user: root
Time limit (seconds): 600
Access group: Global access
Add the “FIPS Certified - Disable” script
Title: FIPS Certified - Disable
Code:
#!/bin/bash
fipsdisable() {
local FIPSENABLED
local UASTATUS
local UANOTATTACHED
UASTATUS=$(ua status)
UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
if [[ $UANOTATTACHED -eq 0 ]]; then
ua disable fips --assume-yes
UASTATUS=$(ua status)
echo "'ua status' reports FIPS is $(servicestatus 'fips')"
shutdown -r 1 &
fi
fipsannotations "$UASTATUS" "$UANOTATTACHED"
FIPSENABLED=$(servicestatus 'fips' | grep -c 'enabled')
if [[ $FIPSENABLED -eq 1 ]]; then
exit 1
fi
}
fipsannotations() {
if [[ $2 -eq 1 ]]; then
echo 'unavailable' > /var/lib/landscape/client/annotations.d/fips
echo 'unavailable' > /var/lib/landscape/client/annotations.d/fips-updates
else
servicestatus 'fips' > /var/lib/landscape/client/annotations.d/fips
servicestatus 'fips-updates' > /var/lib/landscape/client/annotations.d/fips-updates
fi
chown landscape: /var/lib/landscape/client/annotations.d/fips
chown landscape: /var/lib/landscape/client/annotations.d/fips-updates
}
servicestatus() {
echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
fipsdisable
Run as user: root
Time limit (seconds): 600
Access group: Global access
Run the scripts
Now that you’ve added the scripts, you can run these scripts on-demand to enable or disable FIPS across computers and virtual machines with the FIPS Ubuntu Advantage entitlement. It is possible to run the script on demand, across any cross section of your Ubuntu estate.
- Within the Landscape dashboard, click Computers in the primary navigation.
- Select all the computers whose FIPS configuration needs to be identified.
- Click Scripts in the secondary navigation menu.
- Click the FIPS Compliant - Enable or FIPS Compliant - Disable radio button, then click Next.
- Confirm the script reads correctly, choose when you want the script to be delivered, and click Run.
The script will be queued, and will be executed at your chosen time, when the Landscape Client on the selected machines checks in with Landscape Server.
You do not need to refresh the page, it will update automatically when the script runs successfully.
Summary and next steps
Congratulations! Your Landscape dashboard is reporting FIPS information in a searchable manner. In the search bar, try the following queries:
NOT annotation:fips OR annotation:fips:disabledannotation:fips:enabledNOT annotation:fips-updates OR annotation:fips-updates:disabledannotation:fips-updates:enabled
All Ubuntu machines which are configured to fetch packages from a FIPS certified source will appear for search term annotation:fips:enabled. All Ubuntu machines that are configured to fetch the FIPS compliant packages with non-certified security patches will appear for search term annotation:fips-updates:enabled. The NOT queries will reveal the inverse, and be useful in identifying machines either missing an Ubuntu Advantage subscription, or machines without FIPS entitlements enabled.
We hope it was easy to manage FIPS configurations inside Ubuntu. Don’t forget to check out our blog for the latest news on all things Ubuntu.
Further Reading
Tell us your thoughts!
Thank you for following this tutorial, we’d love to hear how you got on.
Give us feedback in the Ubuntu Discourse if you have any issues.
To help us improve our tutorials, we’d love to hear more about you:
How will you use this tutorial?
- Only read through it
- Read it and complete the exercises
What is your current level of experience?
- Novice
- Intermediate
- Proficient
Why were you interested in this tutorial?
- For my personal use, or hobby projects
- Only for my personal developer environment
- To evaluate Landscape for broader use within my organization