FIPS 140-2

Federal Information Processing Standard (FIPS) Publication 140-2: Security Requirements for Cryptographic Modules

RHEL 6 FIPS 140-2 compliant https://access.redhat.com/solutions/137833

Resolution

Red Hat Enterprise Linux 6 is now certified for FIPS compliance. Please see Government standards

Refer article on How can I make Red Hat Enterprise Linux 5 FIPS 140-2 compliant?

Prerequisites

dracut-fips and optionally dracut-fips-aesni
libgcrypt
nss-tools
openswan
openssh-clients
openssh-server
openssl

Steps to Configure

Edit /etc/sysconfig/prelink and disable prelinking.

• Note: This file is provided by the prelink package, if this is not installed you can skip this step.

PRELINKING=no

Run command prelink and revert binaries and libraries to their original content before they were prelinked.

# prelink -u -a

Install the appropriate FIPS enabled version of dracut.

# yum install dracut-fips 

If using AESNI(Advanced Encryption Standard Instruction Set) install dracut-fips-aesni.

# yum-config-manager --enable rhel-6-server-optional-rpms
# yum install dracut-fips-aesni

Note: you will need to add the Server Optional RPMs repository for dracut-fips-aesni.

---

Back up your current /boot/initramfs image, and run dracut with the -f flag to build a new FIPS enabled initramfs.

# cp /boot/initramfs-2.6.32-358.el6.x86_64.img /boot/initramfs-nofips-2.6.32-358.el6.x86_64.img
# dracut -v -f

Edit /etc/grub.conf and append fips=1 to the kernel line.

If the /boot or /boot/efi resides on a separate partition the kernel parameterboot=<partition of /boot or /boot/efi must also be added.
Note: the /boot partition must be on a separate partition and not part of the / partition.

Missing this step can result in a failure of the FIPS integrity test at boot, noted in the following article:

Kernel panic after making Red Hat Enterprise Linux 6 FIPS 140-2 compliant.

Use df /boot to figure out what goes into the boot parameter and append it to the kernel line in/etc/grub.conf.

kernel /vmlinuz quiet rhgb ... fips=1 boot=/dev/sda1

Reboot the host.

# reboot

At this point in time the Kernel is running in FIPS mode following the Kernel Crypto API Cryptographic Module and its security policies.

---

While the Kernel is running in FIPS mode not all other services / tools are (unless they are FIPS aware). In the cases where tools are not FIPS aware you will need to do some additional configuration.

Example:

Edit /etc/ssh/sshd_config and add the following. Protocol 2 should already be uncommented in most cases.
- Note: also configure SSHD / SSH to use pre-defined list of ciphers.

Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1

Run the Netscape Cryptographic Module Utility and enable FIPS mode.
- IE: Create a FIPS compliant keystore/truststore.

# modutil -fips true -dbdir /etc/ipsec.d

Diagnostic Steps

Verify that FIPS has been enabled, the below will return "1" if FIPS is enabled.

# cat /proc/sys/crypto/fips_enabled

If using dracut-fips-aesni verify the AES modules are loaded

# lsmod | grep aes

aesni_intel            12915  0 
cryptd                  8006  1 aesni_intel
aes_x86_64              7914  1 aesni_intel
aes_generic            27609  2 aesni_intel,aes_x86_64

RHEL 5 FIPS 140-2 compliant https://access.redhat.com/articles/38655

Resolution

¶Ensure access to the following accredited packages is available:

|**Name**|**Version**|
|-|-|
|kernel|2.6.18-164.2.1.el5|
|libgcrypt|1.4.4-5.el5|
|openssl|0.9.8e-12.el5|
|openswan|2.6.21-5.el5_4.3|
|nss|3.12.6-2.el5_4|
|selinux-policy|2.4.6-255.el5_4.2|
|fipscheck-lib|1.2.0-1.el5|

Kernel

¶Verify the version of libgcrypt running is 1.4.4-5.el5 [1].

rpm -qi libgcrypt

¶Ensure prelinking is disabled [1]:

change the line "PRELINKING=yes" to "PRELINKING=no" in /etc/sysconfig/prelink

¶If the libraries were already prelinked, the prelink should be  undone on all the system files using the following command [5]:

prelink -u -a 

¶Recreate the initial RAM disk [1].

¶for x86_64 based platforms:

mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)

¶for IA64 based platforms:

mkinitrd --with-fips -f /boot/efi/efi/redhat/initrd-$(uname -r).img $(uname -r)

¶Append the following to the current Linux kernel line in the /etc/grub.conf [1].

fips=1

¶For example:

# grub.conf generated by anaconda  
#  
# Note that you do not have to rerun grub after making changes to this file  
# NOTICE:  You have a /boot partition.  This means that  
# all kernel and initrd paths are relative to /boot/, eg.  
# root (hd0,0)  
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00  
# initrd /initrd-version.img  
# boot=/dev/vda  
default=0  
timeout=5  
splashimage=(hd0,0)/grub/splash.xpm.gz  
hiddenmenu  
title Red Hat Enterprise Linux Server (2.6.18-194.el5)  
  root (hd0,0)  
  kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet fips=1  
  initrd /initrd-2.6.18-194.el5.img

¶To verify that FIPS mode is enabled, check the contents of /proc/sys/crypto/fips_enabled [6]

cat /proc/sys/crypto/fips_enabled

¶If the value returned is 1 then FIPS mode is enabled, if the value returned is 0 then FIPS mode is disabled.

¶If in the future you need to update the kernel, a new FIPS enabled initrd will be built automatically if mkinitrd sees that  /proc/sys/crypto/fips_enabled has a 1 in it. So, once you are in FIPS mode, the kernel will continue to stay in FIPS mode across updates.

OpenSSH

¶If using OpenSSH Server or Client, ensure the following values are set in the/etc/ssh/sshd_config and ~/.ssh/config file respectively [3][4]:

• Either no "Ciphers" option or the option with a subset out of  "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc";
• Either no "MACs" option or the option with "hmac-sha1";
• "Protocol 2" must be specified.

¶To check if changes to the sshd_config need to be made the following checks can be run:

#egrep -i 'aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|3des-cbc|aes192-cbc|aes256-cbc' /etc/ssh/sshd_config
#egrep -i 'hmac' /etc/ssh/sshd_config
#egrep -i 'protocol' /etc/ssh/sshd_config

¶Make changes to meet these requirements.

OpenSSL

¶Verify the version of openssl running is 0.9.8e-12.el5 [5].

rpm -qi openssl

Openswan

¶Verify the version of openswan running is 2.6.21-5.el5_4.3 [6]:

rpm -qi openswan

¶Verify the version of nss running is 3.12.6-2.el5_4 [6]:

rpm -qi nss

¶Verify the version of selinux-policy is 2.4.6-255.el5_4.2 [6]:

rpm -qi selinux-policy

¶The database for the cryptographic keys used by the pluto daemon must be initialized after it has been created as documented in the README.nss documentation with the following command assuming that the database is stored in the directory /etc/ipsec.d/

modutil -fips true -dbdir /etc/ipsec.d

netapp notes

Clearing NFS locks on a Network Appliance Filer

To remove stuck file locks:

1. Login to appliance
2. Enter priv set advanced
3. To clear all current locks, enter: sm_mon -l
   To clear locks for a single client system, enter sm_mon -l client
4. Enter priv set

Note that priv set advanced is advertised as mind-bogglingly dangerous and is therefore not to be used without the guidance of support.

Priv Commands:

availtime
blink_off
blink_on
bootfs
cmos_read
cmos_write
dd
disk
disk_list
disk_stat
environ
exit
getXXbyYY
hammer
ic
ifinfo
inodepath
java
led_off
led_off_all
led_on
led_on_all
led_on_off
led_test
led_test_one
lmem_stat
log
ls
mbstat
mem_scrub_stats
memerr
mv
nfs_hist
ontapi
panic
perf
ps
rdfile
registry
remote
result
revert_to
rm
rmt
rsm
rtag
rtfo
sata
scsi
sh
show_bios_log
showfh
showfh4
sm_mon
sm_mon_old
sm_not
smb_hist
snet
statit
stty
syslog
tape_qual
test_lcd
toe
waffinity_stats
wafl
wafl_susp
wrfile

VM OS tuning

http://lonesysadmin.net/linux-virtual-machine-tuning-guide/

RHEL6 in readonly mode

http://www.vxcompany.info/2011/05/05/howto-rhel6-in-readonly-mode/

HOWTO: RHEL6 in readonly mode

I would like to make a RHEL system read-only. This is obviously not possible for the complete system. For example directories like /tmp en /var need write access. Why would I want this? There are various reasons:

1. Security. It’s safe(r). Nobody can tamper with you’re system, unless they get root access. Getting root access is by itself pretty hard, but not impossible. I will add some simple tips to make it even harder to gain root access.
2. Performance. Because most of the filesystem is readonly, there is no need for locking, making the IO system faster.
3. Backup. Because the best part of the filesystem is readonly, that part needs to be back-ed up only once, making backup’s faster en smaller.

I will sum up the various things to make this work:

First, you need to think about you’re file system and partition layout. The following is needed at a minimum (make the size as needed):

• Seperate /boot partition. This is mainly necessary if you’re going to put the rest into LVM, which we will.
• A seperate LV for /
• Seperate LV’s for /home, /tmp, /var and swap. I also wanted to put /root into a seperate LV, but anaconda refused to do this.

Install the system and login with root. Next, make the following adjustments:

• Add the noexec option to the mountoptions of the /tmp, /var, /boot, swap and possibly /homefilesystems. This prevents the execution of executables on these filesystems, even if you have execute permission. If you want you’re users to be able to execute scripts from their home directory, don’t add this to the /home filesystem.
• Add the ro option to the root filesystem. Don’t be surprised is you’ll end up with a writable root filesystem after reboot. More needs to be done.
• Some files in /etc need write access, although imho they don’t belong there, because of this. These files are /etc/mtab and /etc/resolv.conf. mtab is more or less deprecated and /proc/mountsgives you the same and even more info. However, the system complains about not being able to write to it. /etc/resolv.conf must only be writeable is the system is on DHCP and under the control of NetworkManager. Most servers have a static ip stack and don’t need NetworkManager. Create a directory /vat/etc, move /etc/mtab and, if needed, /etc/resolv.conf to this directory and create symlinks to them from their old location in /etc.
• Add the following two lines to the end of /etc/rc.d/rc.local:

umount /boot
mount -o remount,ro /

This will unmount /boot and remounts the root filesystem to readonly. This file is executed at the end of the boot procedure and will unmount the /boot filesystem and make the root filesystem readonly. The /boot filesystem is only needed during boot and maintenance.

• As root, create the directory /root/bin and create 2 scripts, named mainton and maintoff inside it. Make sure these two scripts have mode 6000 on them. We put these scripts in /root/bin because this directory is only accessable by root and is present in the path of the root user. Pretty safe. The function of the mainton script is to change the system to “maintenance mode” by making the root filesystem writeable again and by mounting the boot filesystem on it. maintoff, as you would guess, reverts this again, putting the system into “safe” mode. The two scripts look like this:

/root/bin/mainton:

#!/bin/sh
mount -o remount,rw /
mount /boot
echo "System now in Maintenance Mode.."
exit 0

/root/bin/maintoff:

#!/bin/sh
if [ -d /boot/grub ]; then umount /boot; fi
mount -o remount,ro /
echo "System now in Safe Mode.."
exit 0

• Add the /root/bin/maintoff script to /root/.bash_logout. This will put the system into safe mode implicetly when you logout, in case you forgot to do it explicetly.

Now, if maintenance is needed, simply execute mainton and everything is back to “normal”. After maintenace, don’t forget to put the system back into safe mode by executing maintoff. Depending on the function of the server, more stuff needs to be done. For example, if you install apache onto this system, the websites end up in /var/www. That’s a writeable filesystem and I don’t particularly like to have my website on that. Better move it to /web or something, but don’t forget to change the SELinux policies to reflect this. Some apps like to have themselves installed in /opt and want to have write access to some files in there. Find out what files need write access and move them to a location in /var, where they belong. Just use the same procedure as with /etc/mtab.

If this is a virtual filesystem, things get even better. Put all the readonly filesystems, /tmp, and swap on one virtual disk, /var and /home on another. save the virtual disk with the readonly filesystems as a template disk. Restoring the system is now simply copying the template and restoring the virtual disk with /var on it. Don’t forget to create  a new template after doing maintenance.

For backup purpose, only /var needs to be back-ed up. Doing backup’s and restores fast using snapshot technology is for another HOWTO post.