1.5.6 Ensure NIST FIPS-validated cryptography is configured - grub

Information

The operating system must implement NIST FIPS-validated cryptography for the following:

provision digital signatures

generate cryptographic hashes

protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Rationale:

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Solution

Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS- approved algorithms and continuous monitoring tests in place.
Configure the operating system to implement DoD-approved encryption by following the steps below:
The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.
Install the dracut-fips package with the following command:

# yum install dracut-fips

Recreate the initramfs file with the following command:
Note: This command will overwrite the existing initramfs file.

# dracut -f

Modify the kernel command line of the current kernel in the grub.cfg file by adding the following option to the GRUB_CMDLINE_LINUX key in the /etc/default/grub file and then rebuild the grub.cfg file:

fips=1

Changes to /etc/default/grub require rebuilding the grub.cfg file as follows:
On BIOS-based machines, use the following command:

# grub2-mkconfig -o /boot/grub2/grub.cfg

On UEFI-based machines, use the following command:

# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:

# df /boot
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 495844 53780 416464 12% /boot

To ensure the boot= configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:

# blkid /dev/sda1
/dev/sda1: UUID='05c000f1-a213-759e-c7a2-f11b7424c797' TYPE='ext4'

For the example above, append the following string to the kernel command line:

boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797

Reboot the system for the changes to take effect.

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72067

Rule ID: SV-86691r4_rule

STIG ID: RHEL-07-021350

Severity: CAT I

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, 800-53|SC-12, CSCv7|14.4, CSCv7|18.5

Plugin: Unix

Control ID: 87c5b226db6a4ef00988512b6dfb734e2cfc4f30e91504817480082487711e25