How can I make RHEL FIPS compliant?

Solution Verified - Updated 16 Aug 2022

Environment

Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9

Issue

How to configure Red Hat Enterprise Linux 6 for FIPS compliance?
How to configure Red Hat Enterprise Linux 7 for FIPS compliance?
How to configure Red Hat Enterprise Linux 8 for FIPS compliance?
How to configure Red Hat Enterprise Linux 9 for FIPS compliance?
To configure RHEL 6 or RHEL 7 to be compliant with the Federal Information Processing Standard (FIPS) Publication 140-2 (Content from csrc.nist.gov is not included.ref) several changes need to be made to ensure that accredited cryptographic modules are used. How?

Resolution

WARNING: Ideally, when aiming for FIPS compliance, new machines should be installed from scratch with the installer booted using the fips=1 kernel argument. (ref) This will ensure the OS is running continuous tests on the RNG input used for cryptographic functions (e.g., user password hashing, LUKS key generation). It's also worth noting that RHEL often performs one-time actions post-install at firstboot that use crypto (e.g., ssh host key generation). The following practical instructions are meant for situations where it's desirable/necessary to convert an existing system to FIPS mode

Initial common steps (RHEL 6, 7, 8, 9)

Determine and install appropriate package versions
While virtually every version of RHEL supports FIPS-enforcing mode, specific package versions are required if strict FIPS compliance is desired
Consult This content is not included.Package requirements for FIPS 140-2 compliance in RHEL
If the prelink package is installed: disable prelinking (uninstalling the prelink package is optional)
Run exactly:
```
rpm -q prelink && sed -i '/^PRELINKING/s,yes,no,' /etc/sysconfig/prelink
rpm -q prelink && prelink -uav
```
If accessing the system via SSH, be warned: SSH keys generated outside of FIPS mode can be incompatible with FIPS mode
Recommendation: ensure console access or SSH access via password-auth are available

Steps for RHEL 8 and RHEL 9

Red Hat Enterprise Linux 8 and 9 have an automated setup command that takes care of everything
Run:
```
fips-mode-setup --enable
```
The tool should suggest a reboot
Assuming it gives no errors, run:
```
reboot
```
Confirm output reports FIPS mode is enabled
Run:
```
fips-mode-setup --check
```
Review post-setup advice below

Steps for RHEL 6 and RHEL 7

Install the dracut-fips package and any dependencies
Run:
```
yum install dracut-fips
```
Optional: Install the dracut-fips-aesni package for enhanced performance¹
Run the following command to determine if the system CPU supports Content from en.wikipedia.org is not included.AES-NI
```
grep -qw aes /proc/cpuinfo && echo YES || echo no
```
If the above returns YES, it would be beneficial (but not required) to install dracut-fips-aesni, e.g.:
```
yum install dracut-fips-aesni
```
In RHEL 6, the above command will return "No package dracut-fips-aesni available" if the optional server or workstation repo is not enabled
In that case, enable the repo and try again, i.e.:
```
yum-config-manager --enable rhel-6-server-optional-rpms --enable rhel-6-workstation-optional-rpms
yum install dracut-fips-aesni
```

Backup existing initramfs
Run exactly:

mv -v /boot/initramfs-$(uname -r).img{,.bak}

Run dracut to rebuild initramfs
Run exactly:
```
dracut
```
Edit kernel command-line to include the fips=1 argument
Run exactly:
```
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
```
Footnote on --update-kernel=$(grubby --default-kernel) vs --update-kernel=DEFAULT²
Edit kernel command-line to include the boot=UUID=XXXX or boot=LABEL=XXXX or boot=/dev/DEVICE argument when /boot is separate partition
This is necessary whenever /boot is a filesystem separate from the rootfs and can be skipped when /boot is not a separate partition.
Run exactly:
```
uuid=$(findmnt -no uuid /boot)
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
```
Attempt a reboot
Run:
```
reboot
```
If the boot fails with a kernel panic, some of the above steps were missed -- most likely a problem with step #8
See: Kernel panic after making Red Hat Enterprise Linux 6 FIPS 140-2 compliant
Confirm that FIPS is in enforcing mode after a reboot
The crypto.fips_enabled sysctl should report 1
Run:
```
sysctl crypto.fips_enabled
```
Optional RHEL 7 only: Configure GRUB2 kernel cmdline in /etc/default/grub for use with grub2-mkconfig
Running through the above steps on RHEL 7 will ensure the current default and all future kernels will be setup for FIPS; however, if grub2-mkconfig is ever run manually, it will strip the fips=1 and boot= args from the kernel command-line
If manual execution of grub2-mkconfig is a possibility, GRUB_CMDLINE_LINUX in /etc/default/grub needs to be fixed
Run exactly:
```
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub
```

Common post-setup advice (RHEL 6, 7, 8, 9)

Configure site-specific applications to FIPS requirements
The key here is the term site-specific. Strictly speaking, the above steps might be all that is required.

Once the system is running in FIPS mode, the kernel will only provide FIPS-approved crypto features. Likewise, FIPS-aware distro-provided tools like openssl and cryptsetup will disallow use of non FIPS-approved ciphers/mac algos; however, certain applications may still require configuration tweaks to continue working in FIPS mode, for example:
- An application that has been explicitly configured to use non-FIPS-approved crypto features (as is sometimes the case with the Ciphers and MACs directives in OpenSSH's config files³)
- An application that uses non-FIPS-approved crypto features by default
  Two common examples:
  - openssl enc fails in FIPS mode
  - FIPS mode can't decrypt existing passphrase-protected ssh keys
It's also possible for applications that implement their own crypto to effectively ignore FIPS mode altogether. The biggest offenders here are 3rd-party utilities not provied by Red Hat; however, applications that use NSS also require special attention -- for example: Openswan. The following quote is excerpted from the document Content from csrc.nist.gov is not included.Red Hat Enterprise Linux 6.2 Openswan Cryptographic Module v2.0, FIPS 140-2 Security Policy:

Note that Openswan uses NSS for its cryptographic operations and NSS must explicitly be put into the approved mode with the modutil command.
The database for the cryptographic keys used by the pluto daemon must be initialized after it has been created as documented in the README.nss documentation with the following command, assuming that the database is stored in the directory /etc/ipsec.d/

modutil -fips true -dbdir /etc/ipsec.d

See also: the Federal Information Processing Standard (FIPS) section of the RHEL 6 Security Guide.

Most modern CPUs support the AES-NI; however, the aesni-intel kernel module must be loaded for applications to take advantage of the AES instructions. The dracut-fips package results in dracut building initramfs files that DO NOT include the aesni-intel kernel module, whereas the dracut-fips-aesni package results in initramfs files that ALWAYS include the aesni-intel module, whether the system CPU supports it or not. Installing dracut-fips-aesni (and building an initramfs file) on a machine lacking AES-NI support will lead to a kernel panic.

The command grubby --update-kernel=$(grubby --default-kernel) --args=xxxx is used instead of the simpler grubby --update-kernel=DEFAULT --args=xxxx because of a bug in the grubby package as shipped in RHEL 7.0 and RHEL 7.1; RHEL 7.2+ (as well as RHEL 6, RHEL 5) have no trouble using the simpler --update-kernel=DEFAULT as documented in the grubby man page. Also note that --update-kernel=ALL works even with grubby from RHEL 7.0/7.1, but of course that requires rebuilding initramfs files for all kernels (and not just the newest default one).

The default client and server config files for OpenSSH require no tweaks to work in FIPS mode; however, explicitly enabling Protocol 1 or addding improper Ciphers or MACs directives to /etc/ssh/sshd_config, /etc/ssh/ssh_config, or ~/.ssh/config can break ssh or sshd in FIPS mode. References: Content from csrc.nist.gov is not included.Red Hat Enterprise Linux 6.2 OpenSSH Server Cryptographic Module v2.1, FIPS 140-2 Security Policy and Content from csrc.nist.gov is not included.Red Hat Enterprise Linux 6.2 OpenSSH Client Cryptographic Module v2.1, FIPS 140-2 Security Policy.

Diagnostic Steps

Check that the FIPS mode is enabled in the kernel (0 means no; 1 means yes)

   cat /proc/sys/crypto/fips_enabled
   sysctl crypto.fips_enabled

(Red Hat Enterprise Linux 8 and newer) Check that FIPS crypto-policy is applied (should output FIPS)
```
  update-crypto-policies --show
```

AES (Advanced Encryption Standard) and KVM virtual guests

Verify that the CPU on the KVM host supports AES

   grep -w aes /proc/cpuinfo

Allow KVM guests to have access to AES instructions
1. In virt-manager open a VM and on the menu navigate to View->Details.
2. In the left pane select Processor.
3. In the Processor detail pane on the right select Configuration.
4. Click on the Copy host CPU configuration button.
5. Click on the CPU Features item just below Copy host CPU configuration button.
6. Scroll down the list to aes and select the appropriate option.
7. Validation is the same as above.
References:
- This content is not included.Section 4.3.4. Guest CPU models in the Virtualization Getting Started - Guide
- This content is not included.Section 15.13 Guest CPU model configuration in the Virtualization Administration Guide

SBR

Shells

Product(s)

Red Hat Enterprise Linux

Components

kernel
kvm

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.