Tracing FIPS Cryptographic Operations at Runtime
FIPS-Traces instruments containers to trace all cryptographic operations at runtime, giving real-time visibility into which algorithms are used and proving FIPS compliance continuously rather than relying on static configuration.
CleanStart's FIPS-Traces tool detects any attempt to use non-FIPS algorithms and blocks them, with full audit logging.
What FIPS-Traces Does
FIPS-Traces intercepts all cryptographic calls made by an application and routes them through a validation layer before processing. When an application attempts a cryptographic operation, FIPS-Traces hooks the call, verifies whether the requested algorithm is FIPS-approved, logs the operation with full context, and either allows the operation to proceed or blocks it immediately with an alert.
For approved algorithms, the operation proceeds to the OpenSSL FIPS Module for processing and returns the encrypted or signed result. For non-FIPS algorithms, the operation is blocked and a security alert is triggered. Every cryptographic operation is intercepted, verified, logged, and either allowed or blocked in real time.
Installation
Enable FIPS-Traces in Image
# Dockerfile with FIPS-Traces FROM ubuntu:24.04-fips # Install FIPS OpenSSL and traces libraryRUN apt-get update && apt-get install -y \ openssl-fips \ libssl3-fips \ cleanstart-fips-traces # Set environment to enable tracingENV FIPS_TRACES_LEVEL=debugENV FIPS_TRACES_OUTPUT=syslogENV FIPS_TRACES_ENFORCE=strict COPY app /appENTRYPOINT ["/app/myapp"]Configure FIPS-Traces
# Environment variablesexport FIPS_TRACES_LEVEL=debug # trace level: info, debug, traceexport FIPS_TRACES_OUTPUT=syslog # output: syslog, file, stdoutexport FIPS_TRACES_LOGFILE=/var/log/fips-traces.logexport FIPS_TRACES_ENFORCE=strict # enforcement: warn, strictexport FIPS_TRACES_ALERT=enabled # alert on non-FIPS: true, false # Run application (traces automatically enabled)myappOutput Examples
Tracing Approved Algorithms
All approved cryptographic operations are logged with complete context. When an application performs a hash operation using SHA-256, the trace records the operation type, algorithm name, approval status, input size (4096 bytes), execution duration (0.245ms), and the originating binary (/usr/local/bin/myapp). Similarly, encryption operations using AES-256-GCM are logged with key size, plaintext size, and processing time. TLS handshakes using TLSv1.3 and TLS_AES_256_GCM_SHA384 are also recorded with protocol version, cipher suite, approval status, and duration.
Blocking Non-FIPS Algorithms
When FIPS-Traces detects an attempt to use non-FIPS algorithms such as MD5, it blocks the operation immediately and generates an alert. The trace records which application requested the non-approved algorithm (for example, /usr/bin/legacy-app with process ID 2847), the operation type, the blocked algorithm name, and the action taken (BLOCKED + ALERT). A security alert is automatically sent to designated recipients (such as security@company.com) that includes the application name, blocked algorithm, operational context (such as "checksum calculation"), exact timestamp, and host name where the violation occurred.
Audit Log Parsing
Extract All Non-FIPS Attempts
# Parse FIPS-Traces loggrep -i "blocked" /var/log/fips-traces.log | \ jq -r '{algorithm: .algorithm, app: .requested_by, time: .timestamp}' # Output:# algorithm | app | time# MD5 | /usr/bin/legacy-app | 2025-10-04T14:30:20Z# RC4 | /opt/java/lib/lib.jar | 2025-10-04T14:32:15Z# DES | custom-script.py | 2025-10-04T14:35:08ZGenerate Compliance Report
# Generate hourly FIPS compliance reportfips-traces-report \ --input /var/log/fips-traces.log \ --output compliance-report.json \ --period hourly # Report shows:# {# "period": "2025-10-04T14:00:00Z to 2025-10-04T15:00:00Z",# "total_operations": 45231,# "approved_operations": 45228,# "blocked_operations": 3,# "approval_rate": 99.99,# "blocked_algorithms": [# {"algorithm": "MD5", "count": 1},# {"algorithm": "RC4", "count": 2}# ]# }Advanced Filtering
Trace Only Specific Operations
# Trace only TLS handshakesexport FIPS_TRACES_FILTER="operation:TLS_HANDSHAKE"myapp # Trace only specific algorithm familyexport FIPS_TRACES_FILTER="algorithm:AES*"myapp # Combine filtersexport FIPS_TRACES_FILTER="operation:ENCRYPT AND algorithm:AES*"myappTrace Specific Application
# Trace only communications from /usr/local/bin/myappexport FIPS_TRACES_FILTER="signer:/usr/local/bin/myapp"strace -e trace=openssl myappIntegration with Kubernetes
Pod Security Policy with FIPS-Traces
apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: fips-traces-enforcementspec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - NET_RAW seLinux: rule: 'MustRunAs' seLinuxOptions: level: "s0:c123,c456" runAsUser: rule: 'MustRunAsNonRoot' fsGroup: rule: 'RunAsAny'Sidecar for FIPS Monitoring
apiVersion: v1kind: Podmetadata: name: myapp-with-fips-monitorspec: containers: - name: myapp image: myapp:1.0.0 env: - name: FIPS_TRACES_LEVEL value: "debug" - name: FIPS_TRACES_OUTPUT value: "shared" # Write to shared volume volumeMounts: - name: fips-logs mountPath: /var/log/fips - name: fips-monitor image: cleanstart/fips-monitor:latest volumeMounts: - name: fips-logs mountPath: /var/log/fips args: - --input=/var/log/fips/traces.log - --alert-webhook=https://monitoring.example.com/alerts - --enforce-strict=true volumes: - name: fips-logs emptyDir: {}Real-Time Alerting
Configure Alerts
# fips-traces-alerts.yamlalerts: - name: non-fips-algorithm-detected condition: algorithm.status == "BLOCKED" actions: - slack: webhook: https://hooks.slack.com/services/... message: "Non-FIPS algorithm blocked: {{ algorithm }}" - email: recipients: ["security@company.com"] subject: "FIPS violation: {{ algorithm }}" - pagerduty: service_key: "..." severity: "warning" - name: fips-enforcement-bypass-attempt condition: enforcement == "STRICT" AND blocked_count > 10 actions: - block-container: signal: SIGTERM - alert-soc: "Potential security breach"Alert Examples
FIPS-TRACES ALERT: MD5 Usage Detected Container: legacy-payment-processor:v1 Timestamp: 2025-10-04T14:30:20.123Z Algorithm: MD5 Context: "Checksum calculation in legacy code" Action Taken: BLOCKED Remediation: Upgrade to SHA-256 FIPS-TRACES CRITICAL: RC4 Cipher Negotiation Attempt Container: old-tls-client:v0.9 Timestamp: 2025-10-04T14:32:15.456Z Algorithm: RC4 Context: "TLS handshake to legacy server" Action Taken: CONNECTION BLOCKED Remediation: Update to TLS 1.2+ with FIPS ciphersTroubleshooting
FIPS-Traces Not Working
# Verify FIPS-Traces is loadedldd /app/myapp | grep fips-traces# Should show: libfips_traces.so => /usr/lib/libfips_traces.so # Check environmentecho $FIPS_TRACES_LEVEL # Test manuallyecho "test" | openssl dgst -md5# Should be BLOCKED with FIPS-Traces enabledPerformance Impact
If FIPS-Traces causes performance issues:
# Switch to "info" level (less overhead)export FIPS_TRACES_LEVEL=info # Use sampling (trace 1 in 100 operations)export FIPS_TRACES_SAMPLE_RATE=0.01 # Disable for non-critical pathsexport FIPS_TRACES_EXCLUDE="/opt/analytics/*"Log File Growth
FIPS-Traces logs can grow large. Configure rotation:
# /etc/logrotate.d/fips-traces/var/log/fips-traces.log { daily rotate 7 compress delaycompress missingok notifempty create 0600 root root}Compliance Evidence
FIPS-Traces generates compliance evidence automatically:
# Extract compliance evidence for auditfips-traces-evidence \ --starttime 2025-10-01T00:00:00Z \ --endtime 2025-10-04T23:59:59Z \ --output fedramp-evidence.json # Evidence shows:# - All cryptographic operations verified FIPS-compliant# - Timestamp and proof of enforcement# - Blocked operations (evidence of preventive control)Best Practices
- Enable in All Environments: Use FIPS-Traces in dev, staging, production
- Monitor Logs: Real-time alerts for non-FIPS attempts
- Archive Logs: Keep 90+ days for compliance audits
- Test Regularly: Verify legacy code doesn't accidentally use non-FIPS
- Document Exceptions: Any intentional non-FIPS operations (if allowed)
See Also
FIPS Overview: fips-140-overview.md — FIPS concepts. FIPS Verifier: fips-verifier.md — Static compliance checking. Runtime Evidence: ../runtime-evidence/ebpf-falco-integration.md — Additional runtime monitoring.