RHEL 6 FIPS 140-2 compliant https://access.redhat.com/solutions/137833
Resolution
Red Hat Enterprise Linux 6 is now certified for FIPS compliance. Please see Government standards
Refer article on How can I make Red Hat Enterprise Linux 5 FIPS 140-2 compliant?
Prerequisites
dracut-fips and optionally dracut-fips-aesni
libgcrypt
nss-tools
openswan
openssh-clients
openssh-server
openssl
libgcrypt
nss-tools
openswan
openssh-clients
openssh-server
openssl
Steps to Configure
Edit
/etc/sysconfig/prelink
and disable prelinking
.- Note: This file is provided by the prelink package, if this is not installed you can skip this step.
PRELINKING=no
Run command
prelink
and revert binaries and libraries to their original content before they were prelinked.# prelink -u -a
Install the appropriate
FIPS
enabled version of dracut.# yum install dracut-fips
If using AESNI(Advanced Encryption Standard Instruction Set) install
dracut-fips-aesni
.# yum-config-manager --enable rhel-6-server-optional-rpms
# yum install dracut-fips-aesni
Note: you will need to add the Server Optional RPMs repository for dracut-fips-aesni.
Back up your current /boot/initramfs image, and run
dracut
with the -f flag to build a new FIPS enabled initramfs.# cp /boot/initramfs-2.6.32-358.el6.x86_64.img /boot/initramfs-nofips-2.6.32-358.el6.x86_64.img
# dracut -v -f
Edit
/etc/grub.conf
and append fips=1
to the kernel line.
If the
Note: the
/boot
or /boot/efi
resides on a separate partition the kernel parameterboot=<partition of /boot or /boot/efi
must also be added.Note: the
/boot
partition must be on a separate partition and not part of the /
partition.
Missing this step can result in a failure of the FIPS integrity test at boot, noted in the following article:
Use
df /boot
to figure out what goes into the boot parameter and append it to the kernel line in/etc/grub.conf
.kernel /vmlinuz quiet rhgb ... fips=1 boot=/dev/sda1
Reboot the host.
# reboot
At this point in time the Kernel is running in FIPS mode following the Kernel Crypto API Cryptographic Module and its security policies.
While the Kernel is running in FIPS mode not all other services / tools are (unless they are FIPS aware). In the cases where tools are not FIPS aware you will need to do some additional configuration.
Example:
Edit
- Note: also configure SSHD / SSH to use pre-defined list of ciphers.
/etc/ssh/sshd_config
and add the following. Protocol 2
should already be uncommented in most cases.- Note: also configure SSHD / SSH to use pre-defined list of ciphers.
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1
Run the Netscape Cryptographic Module Utility and enable FIPS mode.
- IE: Create a FIPS compliant keystore/truststore.
- IE: Create a FIPS compliant keystore/truststore.
# modutil -fips true -dbdir /etc/ipsec.d
Diagnostic Steps
Verify that FIPS has been enabled, the below will return "1" if FIPS is enabled.
# cat /proc/sys/crypto/fips_enabled
If using
dracut-fips-aesni
verify the AES modules are loaded# lsmod | grep aes
aesni_intel 12915 0
cryptd 8006 1 aesni_intel
aes_x86_64 7914 1 aesni_intel
aes_generic 27609 2 aesni_intel,aes_x86_64
RHEL 5 FIPS 140-2 compliant https://access.redhat.com/articles/38655
Resolution
¶Ensure access to the following accredited packages is available:
|**Name**|**Version**|
|-|-|
|kernel|2.6.18-164.2.1.el5|
|libgcrypt|1.4.4-5.el5|
|openssl|0.9.8e-12.el5|
|openswan|2.6.21-5.el5_4.3|
|nss|3.12.6-2.el5_4|
|selinux-policy|2.4.6-255.el5_4.2|
|fipscheck-lib|1.2.0-1.el5|
|**Name**|**Version**|
|-|-|
|kernel|2.6.18-164.2.1.el5|
|libgcrypt|1.4.4-5.el5|
|openssl|0.9.8e-12.el5|
|openswan|2.6.21-5.el5_4.3|
|nss|3.12.6-2.el5_4|
|selinux-policy|2.4.6-255.el5_4.2|
|fipscheck-lib|1.2.0-1.el5|
Kernel
¶Verify the version of libgcrypt running is 1.4.4-5.el5 [1].
rpm -qi libgcrypt
¶Ensure prelinking is disabled [1]:
change the line "PRELINKING=yes" to "PRELINKING=no" in /etc/sysconfig/prelink
¶If the libraries were already prelinked, the prelink should be undone on all the system files using the following command [5]:
prelink -u -a
¶Recreate the initial RAM disk [1].
¶for x86_64 based platforms:
mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
¶for IA64 based platforms:
mkinitrd --with-fips -f /boot/efi/efi/redhat/initrd-$(uname -r).img $(uname -r)
¶Append the following to the current Linux kernel line in the /etc/grub.conf [1].
fips=1
¶For example:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
# boot=/dev/vda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet fips=1
initrd /initrd-2.6.18-194.el5.img
¶To verify that FIPS mode is enabled, check the contents of /proc/sys/crypto/fips_enabled
[6]
cat /proc/sys/crypto/fips_enabled
¶If the value returned is 1 then FIPS mode is enabled, if the value returned is 0 then FIPS mode is disabled.
¶If in the future you need to update the kernel, a new FIPS enabled initrd will be built automatically if mkinitrd sees that /proc/sys/crypto/fips_enabled
has a 1 in it. So, once you are in FIPS mode, the kernel will continue to stay in FIPS mode across updates.
rpm -qi libgcrypt
change the line "PRELINKING=yes" to "PRELINKING=no" in /etc/sysconfig/prelink
prelink -u -a
mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
mkinitrd --with-fips -f /boot/efi/efi/redhat/initrd-$(uname -r).img $(uname -r)
fips=1
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
# boot=/dev/vda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet fips=1
initrd /initrd-2.6.18-194.el5.img
/proc/sys/crypto/fips_enabled
[6]cat /proc/sys/crypto/fips_enabled
/proc/sys/crypto/fips_enabled
has a 1 in it. So, once you are in FIPS mode, the kernel will continue to stay in FIPS mode across updates.OpenSSH
¶If using OpenSSH Server or Client, ensure the following values are set in the/etc/ssh/sshd_config
and ~/.ssh/config
file respectively [3][4]:
- Either no "
Ciphers
" option or the option with a subset out of "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
";
- Either no "
MACs
" option or the option with "hmac-sha1
";
- "
Protocol 2
" must be specified.
¶To check if changes to the sshd_config need to be made the following checks can be run:
#egrep -i 'aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|3des-cbc|aes192-cbc|aes256-cbc' /etc/ssh/sshd_config
#egrep -i 'hmac' /etc/ssh/sshd_config
#egrep -i 'protocol' /etc/ssh/sshd_config
¶Make changes to meet these requirements.
/etc/ssh/sshd_config
and ~/.ssh/config
file respectively [3][4]:Ciphers
" option or the option with a subset out of "aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
";MACs
" option or the option with "hmac-sha1
";Protocol 2
" must be specified.#egrep -i 'aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|3des-cbc|aes192-cbc|aes256-cbc' /etc/ssh/sshd_config
#egrep -i 'hmac' /etc/ssh/sshd_config
#egrep -i 'protocol' /etc/ssh/sshd_config
OpenSSL
¶Verify the version of openssl running is 0.9.8e-12.el5 [5].
rpm -qi openssl
rpm -qi openssl
Openswan
¶Verify the version of openswan running is 2.6.21-5.el5_4.3 [6]:
rpm -qi openswan
¶Verify the version of nss running is 3.12.6-2.el5_4 [6]:
rpm -qi nss
¶Verify the version of selinux-policy is 2.4.6-255.el5_4.2 [6]:
rpm -qi selinux-policy
¶The database for the cryptographic keys used by the pluto daemon must be initialized after it has been created as documented in the README.nss
documentation with the following command assuming that the database is stored in the directory /etc/ipsec.d/
modutil -fips true -dbdir /etc/ipsec.d
rpm -qi openswan
rpm -qi nss
rpm -qi selinux-policy
README.nss
documentation with the following command assuming that the database is stored in the directory /etc/ipsec.d/
modutil -fips true -dbdir /etc/ipsec.d