Enable FIPS Mode
An XCCDF Rule
Description
To enable FIPS mode, run the following command:
fips-mode-setup --enable
The
fips-mode-setup
command will configure the system in
FIPS mode by automatically configuring the following:
- Setting the kernel FIPS mode flag (
/proc/sys/crypto/fips_enabled
) to1
- Creating
/etc/system-fips
- Setting the system crypto policy in
/etc/crypto-policies/config
to - Loading the Dracut
fips
module
warning alert: Warning
The system needs to be rebooted for these changes to take effect.
warning alert: Regulatory Warning
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
Rationale
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
- ID
- xccdf_org.ssgproject.content_rule_enable_fips_mode
- Severity
- High
- References
- Updated
Remediation - OS Build Blueprint
[customizations]
fips = true
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
var_system_crypto_policy='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"/>'
Remediation - Ansible
- name: XCCDF Value var_system_crypto_policy # promote to variable
set_fact:
var_system_crypto_policy: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"/>
tags:
- always