Show Table of Contents
Chapter 8. Federal Standards and Regulations
In order to maintain security levels, it is possible for your organization to make efforts to comply with federal and industry security specifications, standards and regulations. This chapter describes some of these standards and regulations.
8.1. Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard, developed by the U.S. Government and industry working group to validate the quality of cryptographic modules. See the official FIPS publications here: http://csrc.nist.gov/publications/PubsFIPS.html.
The FIPS 140-2 standard ensures that cryptographic tools implement their algorithms properly. See the full FIPS 140-2 standard at http://dx.doi.org/10.6028/NIST.FIPS.140-2 for further details on these levels and the other specifications of the FIPS standard.
To see the complete list of all FIPS 140-2 certificates, visit http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. To learn about compliance requirements, see the Red Hat Government: Standards page.
8.1.1. Enabling FIPS Mode
To make Red Hat Enterprise Linux compliant with the Federal Information Processing Standard (FIPS) Publication 140-2, you need to make several changes to ensure that accredited cryptographic modules are used. You can either enable FIPS mode during system installation or after it.
During the System Installation
To fulfil the strict FIPS 140-2 compliance, add the
fips=1 kernel option to the kernel command line during system installation. With this option, all keys' generations are done with FIPS-approved algorithms and continuous monitoring tests in place. After the installation, the system is configured to boot into FIPS mode automatically.
Important
Ensure that the system has plenty of entropy during the installation process by moving the mouse around or by pressing many keystrokes. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes might generate a non-unique key.
After the System Installation
To turn the kernel space and user space of your system into FIPS mode after installation, follow these steps:
- Install the dracut-fips package:
~]#
yum install dracut-fipsFor CPUs with the AES New Instructions (AES-NI) support, install the dracut-fips-aesni package as well:~]#
yum install dracut-fips-aesni - Regenerate the
initramfsfile:~]#
dracut -v -fTo enable the in-module integrity verification and to have all required modules present during the kernel boot, theinitramfsfile has to be regenerated.Warning
This operation will overwrite the existinginitramfsfile. - Modify boot loader configuration.To boot into FIPS mode, add the
fips=1option to the kernel command line of the boot loader. If your/bootor/boot/EFI/partitions reside on separate partitions, add theboot=<partition>(where <partition> stands for /boot or /boot/EFI) parameter to the kernel command line as well.To identify the boot partition, enter the following command:~]$
df /bootFilesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /bootTo ensure that theboot=configuration option works even if the device naming changes between boots, identify the universally unique identifier (UUID) of the partition by running the following command:~]$
blkid /dev/sda1/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"Append the UUID to the kernel command line:boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
Depending on your boot loader, make the following changes:- GRUB 2Add the
fips=1andboot=<partition of /boot or /boot/EFI>options to theGRUB_CMDLINE_LINUXkey in the/etc/default/grubfile. To apply the changes to/etc/default/grub, rebuild thegrub.cfgfile as follows:- On BIOS-based machines, enter the following command as
root:~]#
grub2-mkconfig -o /etc/grub2.cfg - On UEFI-based machines, enter the following command as
root:~]#
grub2-mkconfig -o /etc/grub2-efi.cfg
- zipl (on the IBM z Systems architecture only)Add the
fips=1andboot=<partition of /boot>options to the/etc/zipl.confto the kernel command line and apply the changes by running the following command asroot:~]#
zipl
- Make sure prelinking is disabled.For proper operation of the in-module integrity verification, prelinking of libraries and binaries has to be disabled. Prelinking is done by the prelink package, which is not installed by default. Unless prelink has been installed, this step is not needed. To disable prelinking, set the
PRELINKING=nooption in the/etc/sysconfig/prelinkconfiguration file. To disable existing prelinking on all system files, use theprelink -u -acommand. - Reboot your system.
Enabling FIPS Mode in a Container
A container can be switched to FIPS140-2 mode if the host is also set in FIPS140-2 mode and one of the following requirements is met:
- The dracut-fips package is installed in the container.
- The
/etc/system-fipsfile is mounted on the container from the host.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.