To make CentOS/RHEL 7 compliant with the Federal Information Processing Standard Publication (FIPS) 140-2, some changes are needed to ensure that the certified cryptographic modules are used and that your system (kernel and userspace) is in FIPS mode.
Pre-requisites
1. Confirm that the current openssl version supports fips:
# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
2. Check the output of the following command. It shows if the kernel is already configured for FIPs. It will show 0 if it is NOT enabled.
# cat /proc/sys/crypto/fips_enabled 0
3. Take a backup of the output ‘blkid’ and ‘df -h’ just in case it is needed for future issues.
# blkid > /var/tmp/blkid_bkp_`date` # df -h > /var/tmp/df_bkp_`date`
4. In /etc/sysconfig/prelink check if the prelink is disabled. This can be done by configuring “PRELINKING=no” in the configuration file.
5. Check if the server is using AESNI (Advanced Encryption Standard Instruction Set):
# cat /proc/cpuinfo | grep aes # lsmod | grep aes
Steps
Make FIPs active on the kernel:
1. Install the dracut-fips.
# yum install dracut-fips
2. Take a backup of the current initramfs.
# cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
Ensure the backup of the initramfs has been created.
3. Recreate the initramfs file:
# dracut -f
4. Modify the kernel command line of the current kernel in the grub.cfg file. In /etc/default/grub.cfg, on the GRUB_CMDLINE_LINUX line add the following option at the end of the line: “fips=1”
# cat /etc/default/grub | grep GRUB_CMDLINE_LINUX= GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=1"
5. Rebuilding the grub.cfg file as follow:
# grub2-mkconfig -o /boot/grub2/grub.cfg
In case of the server be configured to use UEFI-based, run the following command to rebuild the grub.cfg :
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
6. Reboot your system.
# shutdown -r now
7. Finally check again if FIPs is now enabled. It will show 1 if it is enabled.
# cat /proc/sys/crypto/fips_enabled 1