Chapter 7. Federal Standards and Regulations

In order to maintain security levels, it is possible for your organization to make efforts to comply with federal and industry security specifications, standards and regulations. This chapter describes some of these standards and regulations.

7.1. Federal Information Processing Standard (FIPS)

The Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard, developed by the U.S. Government and industry working group to validate the quality of cryptographic modules. See the official FIPS publications here: http://csrc.nist.gov/publications/PubsFIPS.html. At the time of the Red Hat Enterprise Linux 7.3 release, Publication 140-3 is at Draft status, and may not represent the completed standard.
The FIPS 140-2 standard ensures that cryptographic tools implement their algorithms properly. See the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for further details on these levels and the other specifications of the FIPS standard.
To see the complete list of all FIPS 140-2 certificates, visit http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. To learn about compliance requirements, see the Red Hat Government: Standards page.

7.1.1. Enabling FIPS Mode

To make Red Hat Enterprise Linux compliant with the Federal Information Processing Standard (FIPS) Publication 140-2, you need to make several changes to ensure that accredited cryptographic modules are used. You can either enable FIPS mode during system installation or after it.

During the System Installation

To fulfil the strict FIPS 140-2 compliance, add the fips=1 kernel option to the kernel command line during system installation. With this option, all keys' generations are done with FIPS-approved algorithms and continuous monitoring tests in place. After the installation, the system is configured to boot into FIPS mode automatically.

Important

Ensure that the system has plenty of entropy during the installation process by moving the mouse around or by pressing many keystrokes. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes could generate a non-unique key.

After the System Installation

To turn your system, kernel and user space, into FIPS mode anytime after the system installation, follow these steps:
  1. Make sure prelinking is disabled.
    For proper operation of the in-module integrity verification, prelinking of libraries and binaries has to be disabled. Prelinking is done by the prelink package, which is not installed by default. To disable prelinking, set the PRELINKING=no option in the /etc/sysconfig/prelink configuration file. To disable existing prelinking on all system files, use the prelink -u -a command.
  2. Install the dracut-fips package:
    ~]# yum install dracut-fips
    For the CPUs with the AES New Instructions (AES-NI) support, install the dracut-fips-aesni package as well:
    ~]# yum install dracut-fips-aesni
  3. Regenerate the initramfs file.
    To enable the in-module integrity verification and to have all required modules present during the kernel boot, the initramfs file has to be regenerated:
    ~]# dracut -v -f

    Warning

    This operation will overwrite the existing initramfs file.
  4. Modify boot loader configuration.
    To boot into FIPS mode, add the fips=1 option to the kernel command line of the boot loader. If your /boot or /boot/EFI/ partitions reside on separate partitions, add the boot=<partition> (where <partition> stands for /boot or /boot/EFI) parameter to the kernel command line as well.
    To identify the boot partition, enter the following command:
    ~]$ df /boot
    Filesystem           1K-blocks      Used Available Use% Mounted on
    /dev/sda1               495844     53780    416464  12% /boot
    To ensure that the boot= configuration option works even if the device naming changes between boots, identify the universally unique identifier (UUID) of the partition by running the following command:
    ~]$ blkid /dev/sda1
    /dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"
    Append the UUID to the kernel command line:
    boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
    Depending on your boot loader, make the following changes:
    • grub2
      Add the fips=1 and boot=<partition of /boot or /boot/EFI> options to the GRUB_CMDLINE_LINUX key in the /etc/default/grub file. To apply the changes to /etc/default/grub, rebuild the grub.cfg file as follows:
      • On BIOS-based machines, enter the following command as root:
        ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
      • On UEFI-based machines, enter the following command as root:
        ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • zipl (on the IBM z Systems architecture only)
      Add the fips=1 and boot=<partition of /boot> options to the /etc/zipl.conf to the kernel command line and apply the changes by running the following command as root:
      ~]# zipl
  5. Reboot your system.