• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to make CentOS/RHEL 7 FIPS 140-2 compliant

by admin

To make CentOS/RHEL 7 compliant with the Federal Information Processing Standard Publication (FIPS) 140-2, some changes are needed to ensure that the certified cryptographic modules are used and that your system (kernel and userspace) is in FIPS mode.

Pre-requisites

1. Confirm that the current openssl version supports fips:

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

2. Check the output of the following command. It shows if the kernel is already configured for FIPs. It will show 0 if it is NOT enabled.

# cat /proc/sys/crypto/fips_enabled
0

3. Take a backup of the output ‘blkid’ and ‘df -h’ just in case it is needed for future issues.

# blkid > /var/tmp/blkid_bkp_`date`
# df -h > /var/tmp/df_bkp_`date`

4. In /etc/sysconfig/prelink check if the prelink is disabled. This can be done by configuring “PRELINKING=no” in the configuration file.

NOTE: If there is no prelink in the server, this step can be skipped.

5. Check if the server is using AESNI (Advanced Encryption Standard Instruction Set):

# cat /proc/cpuinfo | grep aes
# lsmod | grep aes
NOTE: If in the server aes is working, install the library dependency before proceeding : dracut-fips-aesni.

Steps

Make FIPs active on the kernel:

1. Install the dracut-fips.

# yum install dracut-fips

2. Take a backup of the current initramfs.

# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup

Ensure the backup of the initramfs has been created.

3. Recreate the initramfs file:

# dracut -f

4. Modify the kernel command line of the current kernel in the grub.cfg file. In /etc/default/grub.cfg, on the GRUB_CMDLINE_LINUX line add the following option at the end of the line: “fips=1”

# cat /etc/default/grub | grep GRUB_CMDLINE_LINUX=
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=1"

5. Rebuilding the grub.cfg file as follow:

# grub2-mkconfig -o /boot/grub2/grub.cfg

In case of the server be configured to use UEFI-based, run the following command to rebuild the grub.cfg :

# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

6. Reboot your system.

# shutdown -r now

7. Finally check again if FIPs is now enabled. It will show 1 if it is enabled.

# cat /proc/sys/crypto/fips_enabled
1

Filed Under: CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. Linux Network File System (NFS) interview questions
  2. update-alternatives: command not found
  3. Configure VSFTPD Chroot Environment in CentOS and RHEL
  4. netplan: command not found
  5. How to Setup VNC Server for New User in CentOS/RHEL 5
  6. CentOS / RHEL 7 : Beginners guide to systemd targets (replacement of SysV init run levels)
  7. wdctl Command Examples in Linux
  8. How to disable Ctrl+Alt+Del causing system reboot in CentOS/RHEL 6
  9. pi: command not found
  10. “az config” Command Examples (Manage Azure CLI configuration)

You May Also Like

Primary Sidebar

Recent Posts

  • cdk: A CLI for AWS Cloud Development Kit (CDK)
  • cd: Change the current working directory
  • ccomps: Decompose graphs into their connected components
  • cbt: Utility for reading data from Google Cloud’s Bigtable

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright