What is FIPS Compliance?
The Federal Information Processing Standards (FIPS) are standards specified by the United States Government for approving cryptographic software. The National Institute of Standards and Technology (NIST) has so far issued the FIPS 140-1 and FIPS 140-2 standards, and FIPS PUB 140-2 is the standard for “Security Requirements for Cryptographic Modules”.
The steps to enable FIPS on CentOS/RHEL 7 include installing the dracut-fips package. This package provides a file, /etc/system-fips, that FIPS-enabled software, such as the openssh client, uses to know to check whether FIPS mode is enabled or not in the kernel. Using fips=1 during install tells the installer to also install the dracut-fips package automatically.
Disabling FIPS mode
1. Remove dracut-fips packages.
# yum remove dracut-fips*
2. Take a backup of the FIPS initramfs.
# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
3. Recreate the initramfs file:
# dracut -f
# dracut -f -v /boot/initramfs-$(uname -r).img $(uname -r)
4. Disable fips=1 value from the kernel command-line. Modify the kernel command line of the current kernel in the grub.cfg adding the following option “fips=0” to the GRUB_CMDLINE_LINUX key in the /etc/default/grub file and then rebuild the grub.cfg file:
Example of how GRUB_CMDLINE_LINUX line looks like:
# cat /etc/default/grub | grep GRUB_CMDLINE_LINUX= GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=0"
5. Changes to /etc/default/grub require rebuilding the grub.cfg file as follow:
# grub2-mkconfig -o /boot/grub2/grub.cfg
Or If you have a UEFI-based run:
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
6. Reboot the server for the changes to take effect:
# shutdown -r now
7. Check that FIPS is not in enforcing mode after a reboot /proc/sys/crypto/fips_enabled should be 0.
# cat /proc/sys/crypto/fips_enabled 0