Enable FIPS on RHEL7 or CENTOS7

Enable FIPS on RHEL7

Are you a Linux professional looking to enhance your system’s security measures? Learn how to enable FIPS on your RHEL7/CentOS7 machine and ensure compliance with the Federal Information Processing Standard (FIPS) guidelines and standards.

Table of Contents

Introduction

In the world of information security, compliance is essential. The Federal Information Processing Standard (FIPS) is a set of guidelines and standards for computer systems used by the United States government to ensure the security and interoperability of computer systems. Enabling FIPS on a RHEL7 or CentOS7 machine can provide additional security measures for your system. In this article, we’ll explain what FIPS is, its history, and how to enable it on a RHEL7/CentOS7 machine.

Enable FIPS on RHEL7

Photo by Mical Jarmoluk from Pixabay

What is FIPS?

FIPS (Federal Information Processing Standard) is a set of guidelines and standards for computer systems used by the United States government. These standards were developed by the National Institute of Standards and Technology (NIST) to ensure the security and interoperability of computer systems. FIPS compliance is mandatory for federal agencies and organizations that work with the government.

Brief History of FIPS

FIPS was established in 1985 by the National Bureau of Standards, which later became the National Institute of Standards and Technology (NIST). The purpose of FIPS was to provide a set of guidelines and standards for computer systems that are used by the U.S. government. Since then, the FIPS standards have been updated and revised to keep up with changes in technology and to address new security concerns.

Enabling FIPS on a RHEL7/CentOS7 machine

Enabling FIPS on a RHEL7/CentOS7 machine involves a few steps. Here are the detailed steps:

Step 1: Check for FIPS mode

Before enabling FIPS, you should check whether your system is already running in FIPS mode or not. You can do this by running the following command in a terminal window:

				
					# cat /proc/sys/crypto/fips_enabled
				
			

If the output is 0, it means that FIPS mode is not enabled. If the output is 1, it means that FIPS mode is already enabled.

Step 2: Installing FIPS modules

If your system is not running in FIPS mode, you need to install the FIPS modules. You can install the modules by running the following command:

				
					# yum install dracut-fips dracut-fips-aesni
...
Dependencies Resolved

==================================================================================================================================================================================
 Package                                 Arch                         Version                              Repository                                                        Size
==================================================================================================================================================================================
Installing:
 dracut-fips                             x86_64                       033-572.el7                          repo1.dev.naijalabs.net_rhel-7-server-rpms                        63 k
 dracut-fips-aesni                       x86_64                       033-572.el7                          repo1.dev.naijalabs.net_rhel-7-server-rpms                        66 k
Installing for dependencies:
 hmaccalc                                x86_64                       0.9.13-4.el7                         repo1.dev.naijalabs.net_rhel-7-server-rpms                        26 k

Transaction Summary
==================================================================================================================================================================================
Install  2 Packages (+1 Dependent package)

Total download size: 156 k
Installed size: 126 k
Is this ok [y/d/N]: y

				
			

Note: Ensure that aes is working on your machine before installing the dracut-fips-aesni package. Either one of the following commands will work:

				
					# cat /proc/cpuinfo | grep aes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes hypervisor lahf_lm ssbd rsb_ctxsw ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid tsc_adjust arat umip spec_ctrl intel_stibp arch_capabilities
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes hypervisor lahf_lm ssbd rsb_ctxsw ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid tsc_adjust arat umip spec_ctrl intel_stibp arch_capabilities

				
			

We can confirm that aes is working on this machine.

				
					# lsmod | grep aes
aesni_intel           189456  0 
lrw                    13286  1 aesni_intel
glue_helper            13990  1 aesni_intel
ablk_helper            13597  1 aesni_intel
cryptd                 21190  3 ghash_clmulni_intel,aesni_intel,ablk_helper

				
			

BEST PRACTICE: Before making any changes to the /etc/default/grub file, make sure you save a backup of the current initramfs.

				
					# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
				
			

Step 3: Enable FIPS in grub

Next, you need to enable FIPS in the grub configuration file. You can do this by editing the /etc/default/grub file (using your preferred text editor) and adding the following line:

				
					GRUB_CMDLINE_LINUX="boot=UUID=b087d4d8-e9f4-4289-a019-78663103011c nofb splash=quiet crashkernel=auto rd.lvm.lv=VolGroup00/lv_root rd.lvm.lv=VolGroup00/lv_swap rhgb quiet fips=1"
				
			

Notice that the GRUB_CMDLINE_LINUX variable has the UUID for the boot partition is added at the beginning of the entry and fips=1 is at the end. You can find the UUID for /boot on your machine by running the following command:

				
					# lsblk -fp | grep boot
├─/dev/vda1               xfs               b087d4d8-e9f4-4289-a019-78663103011c   /boot

				
			

Save the file and exit the text editor.

Step 4: Regenerate grub

After making changes to the grub configuration file, you need to regenerate the grub configuration file by running the following command:

				
					# grub2-mkconfig -o /boot/grub2/grub.cfg
				
			

If your system is configured to use UEFI, run this command instead:

				
					# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
				
			

Step 5: Reboot the system

Finally, you need to reboot the system to apply the changes.

				
					# /sbin/shutdown -r now
				
			

After the system reboots, you can check whether FIPS mode is enabled by running the command:

				
					# cat /proc/sys/crypto/fips_enabled
1

				
			

Conclusion

Enabling FIPS on a RHEL7/CentOS7 machine can provide additional security measures for your system. The Federal Information Processing Standard is a set of guidelines and standards for computer systems used by the United States government to ensure the security and interoperability of computer systems. By following the steps outlined in this article, you can enable FIPS on your RHEL7/CentOS7 machine and ensure that your system is in compliance with the FIPS standards.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *