Discover how mastering the top 10 Linux tools for system administrators, including the powerful Bash and versatile Git, can help you efficiently manage networks, secure
Are you a Linux professional looking to enhance your system’s security measures? Learn how to enable FIPS on your RHEL7/CentOS7 machine and ensure compliance with the Federal Information Processing Standard (FIPS) guidelines and standards.
In the world of information security, compliance is essential. The Federal Information Processing Standard (FIPS) is a set of guidelines and standards for computer systems used by the United States government to ensure the security and interoperability of computer systems. Enabling FIPS on a RHEL7 or CentOS7 machine can provide additional security measures for your system. In this article, we’ll explain what FIPS is, its history, and how to enable it on a RHEL7/CentOS7 machine.
Photo by Mical Jarmoluk from Pixabay
FIPS (Federal Information Processing Standard) is a set of guidelines and standards for computer systems used by the United States government. These standards were developed by the National Institute of Standards and Technology (NIST) to ensure the security and interoperability of computer systems. FIPS compliance is mandatory for federal agencies and organizations that work with the government.
FIPS was established in 1985 by the National Bureau of Standards, which later became the National Institute of Standards and Technology (NIST). The purpose of FIPS was to provide a set of guidelines and standards for computer systems that are used by the U.S. government. Since then, the FIPS standards have been updated and revised to keep up with changes in technology and to address new security concerns.
Enabling FIPS on a RHEL7/CentOS7 machine involves a few steps. Here are the detailed steps:
Before enabling FIPS, you should check whether your system is already running in FIPS mode or not. You can do this by running the following command in a terminal window:
# cat /proc/sys/crypto/fips_enabled
If the output is 0, it means that FIPS mode is not enabled. If the output is 1, it means that FIPS mode is already enabled.
If your system is not running in FIPS mode, you need to install the FIPS modules. You can install the modules by running the following command:
# yum install dracut-fips dracut-fips-aesni
...
Dependencies Resolved
==================================================================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================================================================
Installing:
dracut-fips x86_64 033-572.el7 repo1.dev.naijalabs.net_rhel-7-server-rpms 63 k
dracut-fips-aesni x86_64 033-572.el7 repo1.dev.naijalabs.net_rhel-7-server-rpms 66 k
Installing for dependencies:
hmaccalc x86_64 0.9.13-4.el7 repo1.dev.naijalabs.net_rhel-7-server-rpms 26 k
Transaction Summary
==================================================================================================================================================================================
Install 2 Packages (+1 Dependent package)
Total download size: 156 k
Installed size: 126 k
Is this ok [y/d/N]: y
Note: Ensure that aes is working on your machine before installing the dracut-fips-aesni
package. Either one of the following commands will work:
# cat /proc/cpuinfo | grep aes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes hypervisor lahf_lm ssbd rsb_ctxsw ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid tsc_adjust arat umip spec_ctrl intel_stibp arch_capabilities
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes hypervisor lahf_lm ssbd rsb_ctxsw ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid tsc_adjust arat umip spec_ctrl intel_stibp arch_capabilities
We can confirm that aes is working on this machine.
# lsmod | grep aes
aesni_intel 189456 0
lrw 13286 1 aesni_intel
glue_helper 13990 1 aesni_intel
ablk_helper 13597 1 aesni_intel
cryptd 21190 3 ghash_clmulni_intel,aesni_intel,ablk_helper
BEST PRACTICE: Before making any changes to the /etc/default/grub file, make sure you save a backup of the current initramfs.
# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
Next, you need to enable FIPS in the grub configuration file. You can do this by editing the /etc/default/grub file (using your preferred text editor) and adding the following line:
GRUB_CMDLINE_LINUX="boot=UUID=b087d4d8-e9f4-4289-a019-78663103011c nofb splash=quiet crashkernel=auto rd.lvm.lv=VolGroup00/lv_root rd.lvm.lv=VolGroup00/lv_swap rhgb quiet fips=1"
Notice that the GRUB_CMDLINE_LINUX variable has the UUID for the boot partition is added at the beginning of the entry and fips=1 is at the end. You can find the UUID for /boot on your machine by running the following command:
# lsblk -fp | grep boot
├─/dev/vda1 xfs b087d4d8-e9f4-4289-a019-78663103011c /boot
Save the file and exit the text editor.
After making changes to the grub configuration file, you need to regenerate the grub configuration file by running the following command:
# grub2-mkconfig -o /boot/grub2/grub.cfg
If your system is configured to use UEFI, run this command instead:
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Finally, you need to reboot the system to apply the changes.
# /sbin/shutdown -r now
After the system reboots, you can check whether FIPS mode is enabled by running the command:
# cat /proc/sys/crypto/fips_enabled
1
Enabling FIPS on a RHEL7/CentOS7 machine can provide additional security measures for your system. The Federal Information Processing Standard is a set of guidelines and standards for computer systems used by the United States government to ensure the security and interoperability of computer systems. By following the steps outlined in this article, you can enable FIPS on your RHEL7/CentOS7 machine and ensure that your system is in compliance with the FIPS standards.
Related Posts
Discover how mastering the top 10 Linux tools for system administrators, including the powerful Bash and versatile Git, can help you efficiently manage networks, secure
In this article, we will review installing and using Vi or Vim, a versatile and powerful text editor commonly found in Unix-based operating systems like
If you’re deciding between Linux and Windows for your next operating system, knowing the key differences between the two could save you time, money, and