by

 ISSUE

  • To configure Red Hat Enterprise Linux 6 to be compliant with the Federal Information Processing Standard (FIPS) Publication 140-2 several changes need to be made to ensure that accredited cryptographic modules are used.

Prerequisites

dracut-fips and optionally dracut-fips-aesni
libgcrypt
nss-tools
openswan
openssh-clients
openssh-server
openssl

Steps to Configure

Edit /etc/sysconfig/prelink and disable prelinking.

  • Note: This file is provided by the prelink package, if this is not installed you can skip this step.
PRELINKING=no

Run command prelink and revert binaries and libraries to their original content before they were prelinked.

# prelink -u -a

Install the appropriate FIPS enabled version of dracut.

# yum install dracut-fips

If using AESNI(Advanced Encryption Standard Instruction Set) install dracut-fips-aesni.

# yum-config-manager --enable rhel-6-server-optional-rpms
# yum install dracut-fips-aesni

Note: you will need to add the Server Optional RPMs repository for dracut-fips-aesni.

Back up your current /boot/initramfs image, and run dracut with the -f flag to build a new FIPS enabled initramfs.

# cp /boot/initramfs-2.6.32-358.el6.x86_64.img /boot/initramfs-nofips-2.6.32-358.el6.x86_64.img
# dracut -v -f

Edit /etc/grub.conf and append fips=1 to the kernel line.

If the /boot or /boot/efi resides on a separate partition the kernel parameter boot=<partition of /boot or /boot/efi must also be added.
Note: the /boot partition must be on a separate partition and not part of the / partition.

Missing this step can result in a failure of the FIPS integrity test at boot, noted in the following article:

Kernel panic after making Red Hat Enterprise Linux 6 FIPS 140-2 compliant.

Use df /boot to figure out what goes into the boot parameter and append it to the kernel line in /etc/grub.conf.

kernel /vmlinuz quiet rhgb ... fips=1 boot=/dev/sda1

Reboot the host.

# reboot

At this point in time the Kernel is running in FIPS mode following the Kernel Crypto API Cryptographic Module and its security policies.

While the Kernel is running in FIPS mode not all other services / tools are (unless they are FIPS aware). In the cases where tools are not FIPS aware you will need to do some additional configuration.

Example:

Edit /etc/ssh/sshd_config and add the following. Protocol 2 should already be uncommented in most cases.
– Note: also configure SSHD / SSH to use pre-defined list of ciphers.

Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1

Run the Netscape Cryptographic Module Utility and enable FIPS mode.
– IE: Create a FIPS compliant keystore/truststore.

# modutil -fips true -dbdir /etc/ipsec.d

DIAGNOSTIC STEPS

Verify that FIPS has been enabled, the below will return “1” if FIPS is enabled.

# cat /proc/sys/crypto/fips_enabled

If using dracut-fips-aesni verify the AES modules are loaded

# lsmod | grep aes
 
aesni_intel            12915  0 
cryptd                  8006  1 aesni_intel
aes_x86_64              7914  1 aesni_intel
aes_generic            27609  2 aesni_intel,aes_x86_64

AES (Advanced Encryption Standard) and KVM virtual guests

Verify that the CPU on the KVM host supports AES

# grep aes /proc/cpuinfo
  1. In virt-manager open a VM and on the menu navigate to View->Details.
  2. In the left pane select Processor.
  3. In the Processor detail pane on the right select Configuration.
  4. Click on the Copy host CPU configuration button.
  5. Click on the CPU Features item just below Copy host CPU configuration button.
  6. Scroll down the list to aes and select the appropriate option.
  7. Validation is the same as above.

Leave a Reply

Your email address will not be published. Required fields are marked *