Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 9. Federal Standards and Regulations

In order to maintain security levels, it is possible for your organization to make efforts to comply with federal and industry security specifications, standards and regulations. This chapter describes some of these standards and regulations.

9.1. Federal Information Processing Standard (FIPS)

The Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard, developed by the U.S. Government and industry working group to validate the quality of cryptographic modules. See the official FIPS publications at NIST Computer Security Resource Center.
The FIPS 140-2 standard ensures that cryptographic tools implement their algorithms properly. See the full FIPS 140-2 standard at http://dx.doi.org/10.6028/NIST.FIPS.140-2 for further details on these levels and the other specifications of the FIPS standard.
To learn about compliance requirements, see the Red Hat Government Standards page.

9.1.1. Enabling FIPS Mode

To make Red Hat Enterprise Linux compliant with the Federal Information Processing Standard (FIPS) Publication 140-2, you need to make several changes to ensure that accredited cryptographic modules are used. You can either enable FIPS mode during system installation or after it.

During the System Installation

To fulfil the strict FIPS 140-2 compliance, add the fips=1 kernel option to the kernel command line during system installation. With this option, all keys' generations are done with FIPS-approved algorithms and continuous monitoring tests in place. After the installation, the system is configured to boot into FIPS mode automatically.

Important

Ensure that the system has plenty of entropy during the installation process by moving the mouse around or by pressing many keystrokes. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes might generate a non-unique key.

After the System Installation

To turn the kernel space and user space of your system into FIPS mode after installation, follow these steps:
  1. Install the dracut-fips package:
    ~]# yum install dracut-fips
    For CPUs with the AES New Instructions (AES-NI) support, install the dracut-fips-aesni package as well:
    ~]# yum install dracut-fips-aesni
  2. Regenerate the initramfs file:
    ~]# dracut -v -f
    To enable the in-module integrity verification and to have all required modules present during the kernel boot, the initramfs file has to be regenerated.

    Warning

    This operation will overwrite the existing initramfs file.
  3. Modify boot loader configuration.
    To boot into FIPS mode, add the fips=1 option to the kernel command line of the boot loader. If your /boot partition resides on a separate partition, add the boot=<partition> (where <partition> stands for /boot) parameter to the kernel command line as well.
    To identify the boot partition, enter the following command:
    ~]$ df /boot
    Filesystem           1K-blocks      Used Available Use% Mounted on
    /dev/sda1               495844     53780    416464  12% /boot
    To ensure that the boot= configuration option works even if the device naming changes between boots, identify the universally unique identifier (UUID) of the partition by running the following command:
    ~]$ blkid /dev/sda1
    /dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"
    Append the UUID to the kernel command line:
    boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
    Depending on your boot loader, make the following changes:
    • GRUB 2
      Add the fips=1 and boot=<partition of /boot> options to the GRUB_CMDLINE_LINUX key in the /etc/default/grub file. To apply the changes to /etc/default/grub, rebuild the grub.cfg file as follows:
      • On BIOS-based machines, enter the following command as root:
        ~]# grub2-mkconfig -o /etc/grub2.cfg
      • On UEFI-based machines, enter the following command as root:
        ~]# grub2-mkconfig -o /etc/grub2-efi.cfg
    • zipl (on the IBM Z Systems architecture only)
      Add the fips=1 and boot=<partition of /boot> options to the /etc/zipl.conf to the kernel command line and apply the changes by entering:
      ~]# zipl
  4. Make sure prelinking is disabled.
    For proper operation of the in-module integrity verification, prelinking of libraries and binaries has to be disabled. Prelinking is done by the prelink package, which is not installed by default. Unless prelink has been installed, this step is not needed. To disable prelinking, set the PRELINKING=no option in the /etc/sysconfig/prelink configuration file. To disable existing prelinking on all system files, use the prelink -u -a command.
  5. Reboot your system.

Enabling FIPS Mode in a Container

A container can be switched to FIPS140-2 mode if the host is also set in FIPS140-2 mode and one of the following requirements is met:
  • The dracut-fips package is installed in the container.
  • The /etc/system-fips file is mounted on the container from the host.