FIPS: Difference between revisions

How to check if FIPS is enabled

Check that FIPS mode is enabled:

$ fips-mode-setup --check
FIPS mode is enabled.

Kernel Parameter for enabling FIPS

fips=1

How to disable FIPS

$ fips-mode-setup --check
# fips-mode-setup --disable

Reboot and then check again.

Changing Crypto Policies

Sometimes you may need FIPS to be enabled but it appears to be blocking or preventing you from doing something (e.g. RDP sessions using xfreerdp or something, SSH issues, etc.). In such cases it is best to change the crypto crypto polices, that way you can still FIPS enabled and have further restrictions as opposed to disabling it.

To update the crypto policies, you can run something like:

$ sudo update-crypto-policies --set FIPS:OSPP
Setting system policy to FIPS:OSPP
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

or

$ sudo update-crypto-policies --set FIPS:NO-ENFORCE-EMS

Play around with different crypto policies to see what would work for you.

Helpful links: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#system-wide-crypto-policies_using-the-system-wide-cryptographic-policies

Check Crypto Policies

$ sudo update-crypto-policies --show
FIPS:OSPP

+------------------------+-----------------------+----------------------------------------+
| Crypto Policy | FIPS Compliance Level | Description |
+------------------------+-----------------------+----------------------------------------+
| FIPS | FIPS-Compliant | Enforces FIPS compliance. Only |
| | | FIPS-validated algorithms are allowed.|
+------------------------+-----------------------+----------------------------------------+
| FIPS:NO-ENFORCE-EMS | Relaxed FIPS | Enforces FIPS compliance but allows |
| | | the use of non-compliant algorithms |
| | | for Emergency Management Services |
| | | (EMS). |
+------------------------+-----------------------+----------------------------------------+
| OSPP | Non-FIPS | Common Criteria OSPP (Orange Book) |
| | | compliance. This policy is used for |
| | | achieving specific security |
| | | certifications beyond FIPS. |
+------------------------+-----------------------+----------------------------------------+
| DEFAULT | Non-FIPS | No FIPS restrictions. All algorithms |
| | | (compliant and non-compliant) are |
| | | allowed. This is the default policy. |
+------------------------+-----------------------+----------------------------------------+
| LEGACY | Non-FIPS | Allows the use of legacy algorithms |
| | | that may not be FIPS-compliant. This |
| | | policy is intended for compatibility |
| | | with older systems and applications. |
+------------------------+-----------------------+----------------------------------------+

Descriptions:

• FIPS: This policy enforces FIPS compliance strictly. Only FIPS-validated algorithms are allowed. This is used in environments where FIPS compliance is mandatory.
• FIPS:NO-ENFORCE-EMS: This policy enforces FIPS compliance but allows the use of non-compliant algorithms specifically for Emergency Management Services (EMS). This provides a relaxation for critical services while maintaining overall FIPS compliance.
• OSPP: This policy is used for achieving Common Criteria OSPP (Orange Book) compliance. It is not specifically focused on FIPS compliance but rather on broader security certifications.
• DEFAULT: This is the default crypto policy with no FIPS restrictions. All algorithms, both compliant and non-compliant, are allowed. It provides maximum flexibility but does not ensure FIPS compliance.
• LEGACY: This policy allows the use of legacy algorithms that may not be FIPS-compliant. It is intended for compatibility with older systems and applications that require these algorithms.