Enable FIPS Mode in GRUB2

An XCCDF Rule

Description

To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:

$ sudo dnf install dracut-fips
dracut -f

After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"

Finally, rebuild the grub.cfg file by using the

grub2-mkconfig -o

command as follows:

On BIOS-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```
On UEFI-based machines, issue the following command as root:
```
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
```

warning alert: Functionality Warning

Running

dracut -f

will overwrite the existing initramfs file.

warning alert: Warning

The system needs to be rebooted for these changes to take effect.

warning alert: Regulatory Warning

System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

ID: xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode
Severity: High
References: 12 15 8

5.10.1.2

APO13.01 DSS01.04 DSS05.02 DSS05.03

3.13.11 3.13.8

CCI-000068 CCI-000803 CCI-001199 CCI-002450 CCI-002476

4.3.3.6.6

SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2

CIP-003-8 R4.2 CIP-007-3 R5.1

CM-6(a) IA-7 SC-12 SC-12(2) SC-12(3) SC-13

PR.AC-3 PR.PT-4

SRG-OS-000033-GPOS-00014 SRG-OS-000185-GPOS-00079 SRG-OS-000396-GPOS-00176 SRG-OS-000405-GPOS-00184 SRG-OS-000478-GPOS-00223
Updated: 8 months ago