Rules Related To 'fips'

Component overview

Relevant packages:

Relevant groups:

None

Changelog:

No changes recorded.

Relevant rules:

Rule details

Configure AIDE to Use FIPS 140-2 for Validating Hashes

aide_use_fips_hashes

Description

By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf:

NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale

File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

Enable Dracut FIPS Module

enable_dracut_fips_module

Description

To enable FIPS mode, run the following command:

fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Enable FIPS Mode

enable_fips_mode

Description

To enable FIPS mode, run the following command:

fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Ensure '/etc/system-fips' exists

etc_system_fips_exists

Description

On a system where FIPS mode is enabled, /etc/system-fips must exist. To enable FIPS mode, run the following command:

fips-mode-setup --enable

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Enable FIPS Mode in GRUB2

grub2_enable_fips_mode

Description

To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:

$ sudo yum install dracut-fips
dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -o
command as follows:

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Verify '/proc/sys/crypto/fips_enabled' exists

is_fips_mode_enabled

Description

On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist. To verify FIPS mode, run the following command:

cat /proc/sys/crypto/fips_enabled

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Install the dracut-fips-aesni Package

package_dracut-fips-aesni_installed

Description

To enable FIPS on system that support the Advanced Encryption Standard (AES) or New Instructions (AES-NI) engine, the system requires that the dracut-fips-aesni package be installed. The dracut-fips-aesni package can be installed with the following command:

$ sudo yum install dracut-fips-aesni

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Install the dracut-fips Package

package_dracut-fips_installed

Description

To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command:

$ sudo yum install dracut-fips

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Enable the fips_mode SELinux Boolean

sebool_fips_mode

Description

By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. To enable the fips_mode SELinux boolean, run the following command:

$ sudo setsebool -P fips_mode on

Rationale

Set kernel parameter 'crypto.fips_enabled' to 1

sysctl_crypto_fips_enabled

Description

System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command:

fips-mode-setup --enable
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.