Datadog FIPS Compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください
The Datadog FIPS Agent is available only in the US1-FED region.

The FIPS Agent is a flavor of the Datadog Agent that natively supports Federal Information Processing Standards (FIPS) compliance. The FIPS Agent includes limited support for integrations that need to collect observability data that is external to the host.

Supported platforms and limitations

The FIPS Agent’s compliance is based on its use of the FIPS 140-2 validated Cryptographic Module - Certificate #4282. See the related security policy for information about validated operating environments and restrictions.

It is your responsibility to ensure operating environment compliance with the security policy and wider FIPS guidance.

Supported platforms:

Bare metal and VMsRHEL >= 7
Debian >= 8
Ubuntu >= 14.04
SUSE >= 12
Windows Server >= 2016
Windows >= 10
Cloud and containerAmazon ECS
AWS EKS (Helm)
Docker

Supported products (Agent 7.65.0 and above):

  • Metrics
  • Logs
  • APM traces
  • APM profiles
  • Processes
  • Orchestrator Explorer
  • Runtime Security

The Datadog FIPS Agent does not support the following:

  • Serverless Monitoring
  • Communication between Cluster Agent and Node Agents
  • Agent integrations
  • Outbound communication to anything other than GovCloud

Prerequisites

    • A non-containerized Linux host.
    • Your Linux OS must be in FIPS-compliant mode. See your OS vendor’s documentation on what steps are required to meet this requirement.
    • FIPS-compliant storage backing the host file system.
    • A non-containerized Windows host.
    • Windows must be in FIPS-compliant mode.
    • FIPS-compliant storage backing the host file system.

    In addition to the Operating System (OS) requirements above:

    • You must have access to a FIPS-compliant Datadog environment (US1-FED).
    • The FIPS Agent is only available on Agent versions 7.65.0 and above.

    Installation

      1. Remove any fips-proxy installations on the host by uninstalling the datadog-fips-proxy package with your OS package manager. For example:

        Red Hat

        sudo yum remove datadog-fips-proxy

        Ubuntu/Debian

        sudo apt-get remove datadog-fips-proxy

      2. Ensure that the Agent’s configuration file does not contain any FIPS proxy settings. FIPS proxy settings use the fips.* prefix.

      3. Use the instructions for your OS to uninstall the Datadog Agent.

      4. Install the Agent with FIPS support.

        Note: FIPS support is only available on Agent versions 7.65.0 and above:

        1. If you’re using the Agent install script, specify the DD_AGENT_FLAVOR="datadog-fips-agent" environment variable in your installation command. For example:

          DD_SITE="ddog-gov.com" DD_API_KEY="MY_API_KEY" DD_AGENT_FLAVOR="datadog-fips-agent" … bash -c "$(curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh)"

        2. If you’re installing with a package, follow the instructions to install the latest datadog-fips-agent package available for your platform.

        3. Add GOFIPS=1 to your Datadog environment variables, reload all service units, and restart the Datadog Agent service (datadog-agent.service). For example, if your host is using systemd:

          echo "GOFIPS=1" | sudo tee -a /etc/datadog-agent/environment
systemctl daemon-reload
systemctl restart 'datadog-agent*'

        4. Run the datadog-agent status command and make sure you see FIPS Mode: enabled in the status output.

          Your image description

      1. Follow the Windows instructions to uninstall the Datadog Agent.

      2. Run the command below to install the FIPS Agent, replacing DATADOG_API_KEY with your API key:

        Note: FIPS support is only available on Agent versions 7.65.0 and above:

      $p = Start-Process -Wait -PassThru msiexec -ArgumentList '/qn /i https://windows-agent.datadoghq.com/datadog-fips-agent-7.65.0.msi /log C:\Windows\SystemTemp\install-datadog.log APIKEY="<DATADOG_API_KEY>" SITE="ddog-gov.com"'
if ($p.ExitCode -ne 0) {
   Write-Host "msiexec failed with exit code $($p.ExitCode) please check the logs at C:\Windows\SystemTemp\install-datadog.log" -ForegroundColor Red
}

      1. Run the Agent status command and make sure you see FIPS Mode: enabled in the status output.

        & "$env:ProgramFiles\Datadog\Datadog Agent\bin\agent.exe" status
        Your image description

      Note: The program name for the FIPS Agent in Add or Remove Programs is “Datadog FIPS Agent.”

      Security and hardening

      You, the Datadog customer, are responsible for host security and hardening.

      Security considerations:

      • While the Datadog images provided are constructed with security in mind, they have not been evaluated against CIS benchmark recommendations or DISA STIG standards.
      • If you rebuild, reconfigure, or modify the Datadog FIPS Agent to fit your deployment or testing needs, you might end up with a technically working setup, but Datadog cannot guarantee FIPS compliance if the Datadog FIPS Agent is not used exactly as explained in the documentation.
      • If you did not follow the installation steps listed above exactly as documented, Datadog cannot guarantee FIPS compliance.

      Further reading

      お役に立つドキュメント、リンクや記事:

      Agent Proxy ConfigurationDOCUMENTATION more more Monitor highly regulated workloads with Datadog's FIPS-enabled AgentBLOG more more
      PREVIEWING: datadog-api-spec/generated/3879