I would like to know about the FIPS (Federal Information Processing Standards) compliance status of SearchGuard, specifically for Searchguard version 6.5 or any of its versions . Our organization is currently using SearchGuard 5 with Elasticsearch 5.6.4 and we are evaluating the possibility of implementing FIPS compliance in our environment.
If an official FIPS-compliant version is not available, are there any recommendations or best practices you can provide to make SearchGuard and our Elasticsearch environment more FIPS compliant?
Elasticsearch 5.x and therefore Search Guard 5.x is long past end of life and so we have no plans for FIPS support on Search Guard 5 and have no recommendations on how to make Search Guard 5 more FIPS compliant. There are a lot of known security issues with Elasticsearch 5, so we suggest to upgrade to a more recent version.
For a plugin like Search Guard that integrates with a host system like Elasticsearch, getting a FIPS certification for Search Guard standalone is not possible. It’s always the complete system that needs to be considered. Just as examples, you must use a JVM that supports FIPS-compliant security providers and configure it accordingly. FIPS also poses restrictions on how you store trust material, like keys and certificates. E.g., neither JKS nor PKCS#12 keystores can be used in a FIPS 140 compliant system. FIPS also defines what TLS versions and ciphers you are allowed to use. For some of these aspects Search Guard already provides support: Configuring TLS | Security for Elasticsearch | Search Guard. Other aspects of FIPS are outside the scope of Search Guard.