Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 9. Federal Standards and Regulations
In order to maintain security levels, it is possible for your organization to make efforts to comply with federal and industry security specifications, standards and regulations. This chapter describes some of these standards and regulations.
9.1. Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard, developed by the U.S. Government and industry working group to validate the quality of cryptographic modules. See the official FIPS publications at NIST Computer Security Resource Center.
The FIPS 140-2 standard ensures that cryptographic tools implement their algorithms properly. See the full FIPS 140-2 standard at http://dx.doi.org/10.6028/NIST.FIPS.140-2 for further details on these levels and the other specifications of the FIPS standard.
To learn about compliance requirements, see the Red Hat Government Standards page.
9.1.1. Enabling FIPS Mode
To make Red Hat Enterprise Linux compliant with the Federal Information Processing Standard (FIPS) Publication 140-2, you need to make several changes to ensure that accredited cryptographic modules are used. You can either enable FIPS mode during system installation or after it.
During the System Installation
To fulfil the strict FIPS 140-2 compliance, add the
fips=1
kernel option to the kernel command line during system installation. With this option, all keys' generations are done with FIPS-approved algorithms and continuous monitoring tests in place. After the installation, the system is configured to boot into FIPS mode automatically.
Important
Ensure that the system has plenty of entropy during the installation process by moving the mouse around or by pressing many keystrokes. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes might generate a non-unique key.
After the System Installation
To turn the kernel space and user space of your system into FIPS mode after installation, follow these steps:
- Install the dracut-fips package:
~]#
yum install dracut-fips
For CPUs with the AES New Instructions (AES-NI) support, install the dracut-fips-aesni package as well:~]#
yum install dracut-fips-aesni
- Regenerate the
initramfs
file:~]#
dracut -v -f
To enable the in-module integrity verification and to have all required modules present during the kernel boot, theinitramfs
file has to be regenerated.Warning
This operation will overwrite the existinginitramfs
file. - Modify boot loader configuration.To boot into FIPS mode, add the
fips=1
option to the kernel command line of the boot loader. If your/boot
partition resides on a separate partition, add theboot=<partition>
(where <partition> stands for/boot
) parameter to the kernel command line as well.To identify the boot partition, enter the following command:~]$
df /boot
Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /bootTo ensure that theboot=
configuration option works even if the device naming changes between boots, identify the universally unique identifier (UUID) of the partition by running the following command:~]$
blkid /dev/sda1
/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797" TYPE="ext4"Append the UUID to the kernel command line:boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797
Depending on your boot loader, make the following changes:- GRUB 2Add the
fips=1
andboot=<partition of /boot>
options to theGRUB_CMDLINE_LINUX
key in the/etc/default/grub
file. To apply the changes to/etc/default/grub
, rebuild thegrub.cfg
file as follows:- On BIOS-based machines, enter the following command as
root
:~]#
grub2-mkconfig -o /etc/grub2.cfg
- On UEFI-based machines, enter the following command as
root
:~]#
grub2-mkconfig -o /etc/grub2-efi.cfg
- zipl (on the IBM Z Systems architecture only)Add the
fips=1
andboot=<partition of /boot>
options to the/etc/zipl.conf
to the kernel command line and apply the changes by entering:~]#
zipl
- Make sure prelinking is disabled.For proper operation of the in-module integrity verification, prelinking of libraries and binaries has to be disabled. Prelinking is done by the prelink package, which is not installed by default. Unless prelink has been installed, this step is not needed. To disable prelinking, set the
PRELINKING=no
option in the/etc/sysconfig/prelink
configuration file. To disable existing prelinking on all system files, use theprelink -u -a
command. - Reboot your system.
Enabling FIPS Mode in a Container
A container can be switched to FIPS140-2 mode if the host is also set in FIPS140-2 mode and one of the following requirements is met:
- The dracut-fips package is installed in the container.
- The
/etc/system-fips
file is mounted on the container from the host.