Guacamole FIPS 140-2

[Sean Hulbert <sh...@securitycentric.net.INVALID>]

Hello

Here are some security questions I have about Guacamole.

1.       Does it support FIPS 140-2

a.       If enabled on Ubuntu 20.04 LTS are there any known issues

2.       We noticed that cookies aren't used anymore, is there a setting to
time out the session if idle for X time or is that based on Guest OS?

3.       The MFA TOTP what is the location of control file or the
pre-compiled code, we like to review it for adding additional functions. 

 

 

Thank You

Sean Hulbert

 

Security Centric Inc.

A Cybersecurity Virtualization Enablement Company

We don't just run you through the motions, Our labs teach you how to think!

 

 

 

System Award Management

CAGE: 8AUV4

 

AFCEA San Francisco Chapter V.P.

 

If you have heard of a hacker by name, he/she has failed, fear the hacker
you haven't heard of!

 

CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use
of the intended recipient(s). Unauthorized interception, review, use or
disclosure is prohibited and may violate applicable laws including the
Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.

 

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

 

Re: Guacamole FIPS 140-2

[Michael Jumper <mj...@apache.org>]

On Thu, Sep 8, 2022 at 9:31 AM Sean Hulbert
<sh...@securitycentric.net.invalid> wrote:
>
> Hello
>
> Here are some security questions I have about Guacamole.
>
> 1.       Does it support FIPS 140-2
> a.       If enabled on Ubuntu 20.04 LTS are there any known issues

The current known issues with FIPS are:
https://issues.apache.org/jira/browse/GUACAMOLE-1674?jql=project%20%3D%20GUACAMOLE%20AND%20type%20%3D%20Bug%20AND%20text%20~%20fips

> 2.       We noticed that cookies aren’t used anymore, is there a setting to time out the session if idle for X time or is that based on Guest OS?

You should never rely on cookie expiration alone for session
expiration. Guacamole handles session expiration on the server side,
with a default session timeout of 1 hour.

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties

> 3.       The MFA TOTP what is the location of control file or the pre-compiled code, we like to review it for adding additional functions.

I don't understand what you're asking here. What control file and what
pre-compiled code? The source to the entire web application, including
the TOTP support and all other extensions, is in the
"apache/guacamole-client" repository:
https://github.com/apache/guacamole-client/

- Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org