To make CentOS/RHEL 7 compliant with the Federal Information Processing Standard Publication (FIPS) 140-2, some changes are needed to ensure that the certified cryptographic modules are used and that your system (kernel and userspace) is in FIPS mode.
1. Confirm that the current openssl version supports fips:
# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
2. Check the output of the following command. It shows if the kernel is already configured for FIPs. It will show 0 if it is NOT enabled.
# cat /proc/sys/crypto/fips_enabled 0
3. Take a backup of the output ‘blkid’ and ‘df -h’ just in case it is needed for future issues.
# blkid > /var/tmp/blkid_bkp_`date` # df -h > /var/tmp/df_bkp_`date`
4. In /etc/sysconfig/prelink check if the prelink is disabled. This can be done by configuring “PRELINKING=no” in the configuration file.
5. Check if the server is using AESNI (Advanced Encryption Standard Instruction Set):
# cat /proc/cpuinfo | grep aes # lsmod | grep aes
Make FIPs active on the kernel:
1. Install the dracut-fips.
# yum install dracut-fips
2. Take a backup of the current initramfs.
# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
Ensure the backup of the initramfs has been created.
3. Recreate the initramfs file:
# dracut -f
4. Modify the kernel command line of the current kernel in the grub.cfg file. In /etc/default/grub.cfg, on the GRUB_CMDLINE_LINUX line add the following option at the end of the line: “fips=1”
# cat /etc/default/grub | grep GRUB_CMDLINE_LINUX= GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=1"
5. Rebuilding the grub.cfg file as follow:
# grub2-mkconfig -o /boot/grub2/grub.cfg
In case of the server be configured to use UEFI-based, run the following command to rebuild the grub.cfg :
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
6. Reboot your system.
# shutdown -r now
7. Finally check again if FIPs is now enabled. It will show 1 if it is enabled.
# cat /proc/sys/crypto/fips_enabled 1