Audit UA Client FIPS configurations at scale with Landscape

1. Overview

In this tutorial, you will learn how to use Landscape’s dashboard to identify which machines have the Ubuntu Advantage FIPS entitlement enabled.

The Ubuntu Advantage client (UA Client) provides you with a simple mechanism to view, enable, and disable offerings from Canonical on your system. UA client produces machine readable outputs and integrates with other Canonical, or third-party tooling. Beyond FIPS, UA Client can enable Ubuntu Advantage services, such as Extended Security Maintenance (ESM), Ubuntu Security Guide (USG), Livepatch, and more.

Landscape is Canonical’s systems management and monitoring solution. You will compose interactions with UA Client into a Landscape-aware shell script, and track which systems are configured to be FIPS certified, FIPS compliant, or lacking FIPS enablement entirely.

Landscape enables you to divide your Ubuntu estate into cross sections by tags, groups, annotations, and search queries that can also filter hardware and software metadata. These cross sections, regardless of size, can be monitored and managed as easily as one machine.


2. Prerequisites

To complete this tutorial, you will need a machine running Ubuntu Pro. If you are not running Ubuntu Pro, any other supported Ubuntu LTS will work, provided it has the following:

  • An Ubuntu One account
  • An Ubuntu Advantage for Infrastructure subscription
  • UA Client attached to your Ubuntu Advantage for Infrastructure subscription
  • Landscape Client installed and registered with either Landscape on-prem or Landscape SaaS
  • Landscape Client is allowed to remotely execute scripts

Obtain an Ubuntu Advantage for Infrastructure subscription

Anyone can use Ubuntu Advantage for Infrastructure for free on up to 3 machines.

Customers with larger needs can mix and match Ubuntu Advantage Essential, Standard, and Advanced subscription types within one Ubuntu Advantage account. All Ubuntu Advantage subscriptions come with certified cryptography modules for users interested in FIPS, and Landscape on-premises.

Visit ubuntu.com/advantage to create or sign in to your Ubuntu One account, and obtain an Ubuntu Advantage for Infrastructure subscription that matches your needs.

Attach UA Client to your Ubuntu Advantage account

Your UA token is used to connect the UA client you have installed on your machines to your Ubuntu Advantage for Infrastructure subscription.
Let’s first check whether you have already attached your UA token to the UA client by running:

ua status

The output will look like this:

SERVICE       AVAILABLE  DESCRIPTION
cc-eal        no         Common Criteria EAL2 Provisioning Packages
esm-infra     yes        UA Infra: Extended Security Maintenance (ESM)
fips          yes        NIST-certified core packages
fips-updates  yes        NIST-certified core packages with priority security updates
livepatch     yes        Canonical Livepatch service
usg           yes        Security compliance and audit tools

This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage

You can see that this is not yet attached to a UA subscription. Let’s fix that now.

Your UA token can be found on your Ubuntu Advantage dashboard. To access your dashboard, you need an Ubuntu One account. If you still need to create one, ensure that you use the email address used to purchase your subscription.

The Ubuntu One account functions as a Single Sign On, so once logged in, you can type the address for the Ubuntu Advantage dashboard into the browser’s address bar: ubuntu.com/advantage. Then click on a subscription in the left hand column, and the Documentation tab on the right hand side column. Now you’re ready to attach your UA token to the UA client. Look for the copy and paste ready command to attach a machine, it will look similar to this:

sudo ua attach <your_ua_token>

Configure Landscape

The Landscape quickstart deployment guide offers the shortest path to a functional Landscape Server instance, and enrolling a machine to be managed by Landscape with Landscape Client. Signing up for Landscape SaaS eliminates the server installation step, and relieves you of any maintenance activities to keep Landscape up to date.

The Landscape Client steps from the quickstart deployment guide are accurate for both Landscape SaaS and Landscape on-premises users. During installation, Landscape Client will request permission for executing scripts remotely for all users.

Landscape has a feature which enables administrators to run
arbitrary scripts on machines under their control. By default this
feature is disabled in the client, disallowing any arbitrary script
execution. If enabled, the set of users that scripts may run as is
also configurable.

Enable script execution? [y/N]:

Answering yes to the Enable script execution prompt is required for this tutorial to work successfully.

By default, scripts are restricted to the 'landscape' and
'nobody' users. Please enter a comma-delimited list of users
that scripts will be restricted to. To allow scripts to be run
by any user, enter "ALL".

Script users: ALL

Answering ALL to the Script users prompt is not necessary to complete this tutorial. To be maximally useful, Landscape Client should be able to execute scripts with elevated privileges (such as root) on an as-needed basis. This tutorial will work if you restrict Script users to the landscape user, which is used by the Landscape Client.


3. Landscape scripts

When logging into the Landscape dashboard, the secondary navigation for Scripts takes you to the central place within Landscape where shell scripts are organized. Once there, click Add Script.

Add the Update FIPS Annotations script

Title: Update FIPS Annotations

Code:

#!/bin/bash
fipsannotations() {
  local UASTATUS
  local UANOTATTACHED
  UASTATUS=$(ua status)
  UANOTATTACHED=$(echo "$UASTATUS" | grep -c 'This machine is not attached to a UA subscription.')
  if [[ $UANOTATTACHED -eq 1 ]]; then
    echo 'unavailable' > /var/lib/landscape/client/annotations.d/fips
    echo 'unavailable' > /var/lib/landscape/client/annotations.d/fips-updates
    echo "'ua status' reports this machine is not attached to a UA subscription."
  else
    servicestatus 'fips' > /var/lib/landscape/client/annotations.d/fips
    echo "'ua status' reports FIPS is $(servicestatus 'fips')"
    servicestatus 'fips-updates' > /var/lib/landscape/client/annotations.d/fips-updates
    echo "'ua status' reports FIPS Updates is $(servicestatus 'fips-updates')"
  fi
  chown landscape: /var/lib/landscape/client/annotations.d/fips
  chown landscape: /var/lib/landscape/client/annotations.d/fips-updates
}
servicestatus() {
  echo "$UASTATUS" | grep -m 1 "$1" | awk '{ print $3 }' | sed 's/\xE2\x80\x94/unavailable/'
}
fipsannotations

Run as user: landscape
Time limit (seconds): 300
Access group: Global access

Run the Update FIPS Annotations script

Which computers and virtual machines have the FIPS Ubuntu Advantage entitlement enabled? It is possible to run the script on demand, across any cross section of your Ubuntu estate.

  1. Within the Landscape dashboard, click Computers in the primary navigation.
  2. Select all the computers whose FIPS configuration needs to be identified.
  3. Click Scripts in the secondary navigation menu.
  4. Click the Update FIPS Annotations radio button, then click Next.
  5. Confirm the script reads correctly, choose when you want the script to be delivered, and click Run.

The script will be queued, and will be executed at your chosen time, when the Landscape Client on the selected machines checks in with Landscape Server.

You do not need to refresh the page, it will update automatically when the script runs successfully.


4. Summary and next steps

Congratulations! Your Landscape dashboard is reporting FIPS information in a searchable manner. In the search bar, try the following queries:

  • NOT annotation:fips OR annotation:fips:disabled
  • annotation:fips:enabled
  • NOT annotation:fips-updates OR annotation:fips-updates:disabled
  • annotation:fips-updates:enabled

All Ubuntu machines which are configured to fetch packages from a FIPS certified source will appear for search term annotation:fips:enabled. All Ubuntu machines that are configured to fetch the FIPS compliant packages with non-certified security patches will appear for search term annotation:fips-updates:enabled. The NOT queries will reveal the inverse, and be useful in identifying machines either missing an Ubuntu Advantage subscription, or machines without FIPS entitlements enabled.

We hope it was easy to audit FIPS configurations inside Ubuntu. Don’t forget to check out our blog for the latest news on all things Ubuntu.

Further Reading


5. Tell us your thoughts!

Thank you for following this tutorial, we’d love to hear how you got on.

Give us feedback in the Ubuntu Discourse if you have any issues.

To help us improve our tutorials, we’d love to hear more about you:

How will you use this tutorial?

What is your current level of experience?

Why were you interested in this tutorial?