6.7 Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled

Information

Install, configure, and use OpenSSL on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL. This provides PostgreSQL instances the ability to generate and validate cryptographic hashes to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.
Rationale:
Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard developed by a U.S. Government and industry working group for validating the quality of cryptographic modules. Use of weak, or untested, encryption algorithms undermine the purposes of utilizing encryption to protect data. PostgreSQL uses OpenSSL for the underlying encryption layer.
The database and application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant. The security functions validated as part of FIPS 140-2 for cryptographic modules are described in FIPS 140-2 Annex A. Currently only Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of OpenSSL. For other operating systems, users must obtain or build their own FIPS 140-2 OpenSSL libraries.

Solution

Configure OpenSSL to be FIPS compliant. PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS 140-2 compliant, see the official RHEL Documentation. Below is a general summary of the steps required:
* Install the dracut-fips package
$ yum -y install dracut-fips
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
[snip]
Resolving Dependencies
--> Running transaction check
---> Package dracut-fips.x86_64 0:033-554.el7 will be installed
--> Processing Dependency: hmaccalc for package: dracut-fips-033-554.el7.x86_64
--> Running transaction check
---> Package hmaccalc.x86_64 0:0.9.13-4.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved

Package Arch Version Repository Size

Installing:
dracut-fips x86_64 033-554.el7 base 61 k
Installing for dependencies:
hmaccalc x86_64 0.9.13-4.el7 base 26 k

Transaction Summary
Install 1 Package (+1 Dependent package)

Total download size: 87 k
Installed size: 107 k
Downloading packages:
[snip]
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : hmaccalc-0.9.13-4.el7.x86_64 1/2
Installing : dracut-fips-033-554.el7.x86_64 2/2
Verifying : hmaccalc-0.9.13-4.el7.x86_64 1/2
Verifying : dracut-fips-033-554.el7.x86_64 2/2

Installed:
dracut-fips.x86_64 0:033-554.el7

Dependency Installed:
hmaccalc.x86_64 0:0.9.13-4.el7

Complete!
* Recreate the initramfs file
$ dracut -f
* Modify the kernel command line, e.g. GRUB_CMDLINE_LINUX, of the current kernel in the /etc/default/grub file by adding the following option: fips=1
* Run one, or both if unsure how the machine is booting, of the following commands:
# If booting from BIOS
$ grub2-mkconfig -o /boot/grub2/grub.cfg

# If booting from EFI
$ grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
* If you have prelink installed you will want to execute prelink -u -a prior to the next reboot.
* Reboot the system for changes to take effect.
* Verify fips_enabled according to Audit Procedure above.

See Also

https://workbench.cisecurity.org/files/2306

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CSCv6|14.2

Plugin: Unix

Control ID: 73a24532dfe7b344ffa40b888c5bed60cac124d3102738905f4ddadfbff675bd