Problems Disabling FIPS on RHEL 7

Latest response

Following STEPS 4 and 5 only of the procedures in the linked document below, I have a few systems (but NOT all of them) still indicating that FIPS is enabled.

The customer does not want us to remove the dracut-fips package(s) so we're trying to only disable FIPS. We're basically having to run the following commands, then reboot, but we have to run the commands and reboot TWICE to get the FIPS enabled check to show a status of 0 (zero).

grubby --update-kernel=ALL --remove-args=fips=1
sed -i 's/ fips=1//' /etc/default/grub

Granted, we don't need to run the sed command again.

The instructions indicate to simply reboot. Why do we need to reboot twice to show a disabled state?

https://access.redhat.com/solutions/2422061

Any ideas why that may be?

Also, if there's a fips=1 should there not be a fips=0 option that would work too? I see no mention of that online, unless I missed it.

Thanks for your ideas.

Chris

Chris Scarff's picture

Responses