Set kernel parameter 'crypto.fips_enabled' to 1
An XCCDF Rule
Description
System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'
. This parameter should be set to 1
in FIPS mode.
To enable FIPS mode, run the following command:
fips-mode-setup --enableTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
warning alert: Warning
The system needs to be rebooted for these changes to take effect.
warning alert: Regulatory Warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process.
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
- Severity
- High
- References
- Updated