FIPS

From DikapediaV2
Jump to: navigation, search

How to check if FIPS is enabled


Check that FIPS mode is enabled:

$ fips-mode-setup --check
FIPS mode is enabled.


Kernel Parameter for enabling FIPS


fips=1


How to disable FIPS


$ fips-mode-setup --check
# fips-mode-setup --disable

Reboot and then check again.


Changing Crypto Policies


Sometimes you may need FIPS to be enabled but it appears to be blocking or preventing you from doing something (e.g. RDP sessions using xfreerdp or something, SSH issues, etc.). In such cases it is best to change the crypto crypto polices, that way you can still FIPS enabled and have further restrictions as opposed to disabling it.

To update the crypto policies, you can run something like:

$ sudo update-crypto-policies --set FIPS:OSPP
Setting system policy to FIPS:OSPP
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

or

$ sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS


Play around with different crypto policies to see what would work for you.

Helpful links: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#system-wide-crypto-policies_using-the-system-wide-cryptographic-policies


Check Crypto Policies


$ sudo update-crypto-policies --show
FIPS:OSPP
Crypto Policy FIPS Compliance Level Description
FIPS FIPS-Compliant Enforces FIPS compliance. Only FIPS-validated algorithms are allowed.
FIPS:NO-ENFORCE-EMS Relaxed FIPS Enforces FIPS compliance but allows the use of non-compliant algorithms for Emergency Management Services (EMS).
OSPP Non-FIPS Common Criteria OSPP (Orange Book) compliance. This policy is used for achieving specific security certifications beyond FIPS.
DEFAULT Non-FIPS No FIPS restrictions. All algorithms (compliant and non-compliant) are allowed. This is the default policy.
LEGACY Non-FIPS Allows the use of legacy algorithms that may not be FIPS-compliant. This policy is intended for compatibility with older systems and applications.

Descriptions:

  • FIPS: This policy enforces FIPS compliance strictly. Only FIPS-validated algorithms are allowed. This is used in environments where FIPS compliance is mandatory.
  • FIPS:NO-ENFORCE-EMS: This policy enforces FIPS compliance but allows the use of non-compliant algorithms specifically for Emergency Management Services (EMS). This provides a relaxation for critical services while maintaining overall FIPS compliance.
  • OSPP: This policy is used for achieving Common Criteria OSPP (Orange Book) compliance. It is not specifically focused on FIPS compliance but rather on broader security certifications.
  • DEFAULT: This is the default crypto policy with no FIPS restrictions. All algorithms, both compliant and non-compliant, are allowed. It provides maximum flexibility but does not ensure FIPS compliance.
  • LEGACY: This policy allows the use of legacy algorithms that may not be FIPS-compliant. It is intended for compatibility with older systems and applications that require these algorithms.