Federal Standards and Regulations

In orde r to maintain s e curity le ve ls , it is pos s ible for your organization to make e fforts to comply with fe de ral and indus try s e curity s pe cifications , s tandards and re gulations . This chapte r de s cribe s s ome of the s e s tandards and re gulations .

7.1. Federal Informat ion Processing St andard (FIPS)

The Fe de ral Information Proce s s ing Standard (FIPS) Publication 140-2, is a compute r

s e curity s tandard, de ve lope d by a U.S. Gove rnme nt and indus try working group to validate the quality of cryptographic module s . FIPS publications (including 140-2) can be found at the following URL: http://cs rc.nis t.gov/publications /Pubs FIPS.html. Note that at the time of writing, Publication 140-3 is at Draft s tatus , and may not re pre s e nt the comple te d s tandard. The FIPS s tandard provide s four (4) s e curity levels, to e ns ure ade quate cove rage of diffe re nt indus trie s , imple me ntations of cryptographic module s and organizational s ize s and

re quire me nts . The s e le ve ls are de s cribe d be low:

Le ve l 1 — Se curity Le ve l 1 provide s the lowe s t le ve l of s e curity. Bas ic s e curity re quire me nts are s pe cifie d for a cryptographic module (for e xample , at le as t one Approve d algorithm or Approve d s e curity function s hall be us e d). No s pe cific phys ical s e curity me chanis ms are re quire d in a Se curity Le ve l 1 cryptographic module be yond the bas ic re quire me nt for production-grade compone nts . An e xample of a Se curity Le ve l 1 cryptographic module is a pe rs onal compute r (PC) e ncryption board.

Le ve l 2 — Se curity Le ve l 2 e nhance s the phys ical s e curity me chanis ms of a Se curity Le ve l 1 cryptographic module by adding the re quire me nt for tampe r-e vide nce , which include s the us e of tampe r-e vide nt coatings or s e als or for pick-re s is tant locks on re movable cove rs or doors of the module . Tampe r-e vide nt coatings or s e als are place d on a cryptographic module s o that the coating or s e al mus t be broke n to attain phys ical acce s s to the plainte xt cryptographic ke ys and critical s e curity parame te rs (CSPs ) within the module . Tampe r-e vide nt s e als or pick-re s is tant locks are place d on cove rs or doors to prote ct agains t unauthorize d phys ical acce s s .

Le ve l 3 — In addition to the tampe r-e vide nt phys ical s e curity me chanis ms re quire d at Se curity Le ve l 2, Se curity Le ve l 3 atte mpts to pre ve nt the intrude r from gaining acce s s to CSPs he ld within the cryptographic module . Phys ical s e curity me chanis ms re quire d at Se curity Le ve l 3 are inte nde d to have a high probability of de te cting and re s ponding to atte mpts at phys ical acce s s , us e or modification of the cryptographic module . The phys ical s e curity me chanis ms may include the us e of s trong e nclos ure s and tampe r de te ction/re s pons e circuitry that ze roe s all plainte xt CSPs whe n the re movable cove rs /doors of the cryptographic module are ope ne d.

Le ve l 4 — Se curity Le ve l 4 provide s the highe s t le ve l of s e curity de fine d in this s tandard. At this s e curity le ve l, the phys ical s e curity me chanis ms provide a comple te e nve lope of prote ction around the cryptographic module with the inte nt of de te cting and re s ponding to all unauthorize d atte mpts at phys ical acce s s . Pe ne tration of the

cryptographic module e nclos ure from any dire ction has a ve ry high probability of be ing de te cte d, re s ulting in the imme diate ze roization of all plainte xt CSPs . Se curity Le ve l 4 cryptographic module s are us e ful for ope ration in phys ically unprote cte d e nvironme nts . Se e the full FIPS 2 s tandard at http://cs rc.nis t.gov/publications /fips /fips

140-2/fips 1402.pdf for furthe r de tails on the s e le ve ls and the othe r s pe cifications of the FIPS s tandard.

7.1.1. Enabling FIPS Mode

To make Re d Hat Ente rpris e Linux compliant with the Fe de ral Information Proce s s ing Standard (FIPS) Publication 140-2 you ne e d to make s e ve ral change s to e ns ure that accre dite d cryptographic module s are us e d. To turn your s ys te m (ke rne l and us e r s pace ) into FIPS mode , follow the s e s te ps :

1. For prope r ope ration of the in-module inte grity ve rification, the pre link has to be dis able d. This can be done by s e tting configuring PRELINKING=no in the

/etc/sysconfig/prelink configuration file . Exis ting pre linking, if any, s hould be undone on all s ys te m file s us ing the prelink -u -a command.

2. Ne xt, ins tall the dracut-fips package :

~]# yum install dracut-fips 3. Re cre ate the initramfs file :

~]# dracut -f

Warning

This ope ration will ove rwrite the e xis ting initramfs file .

4. Modify the ke rne l command line of the curre nt ke rne l in the grub.cfg file by adding the following option to the GRUB_CMDLINE_LINUX ke y in the /etc/default/grub file and the n re build the grub.cfg file :

fips=1

Change s to /etc/default/grub re quire re building the grub.cfg file as follows : On BIOS-bas e d machine s , is s ue the following command as root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg

On UEFI-bas e d machine s , is s ue the following command as root:

~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Note

If /boot or /boot/efi re s ide on s e parate partitions , the ke rne l parame te r boot=<partition of /boot or /boot/efi> mus t be adde d to the ke rne l command line . You can ide ntify a partition by running the df /boot or df /boot/efi command re s pe ctive ly:

~]$ df /boot

Filesystem 1K-blocks Used Available Use%

Mounted on

/dev/sda1 495844 53780 416464 12% /boot To e ns ure that the boot= configuration option will work e ve n if de vice naming change s be twe e n boots , ide ntify the unive rs ally unique ide ntifie r (UUID) of the partition by running the following command:

~]$ blkid /dev/sda1

/dev/sda1: UUID="05c000f1-f899-467b-a4d9-d5ca4424c797"

TYPE="ext4"

For the e xample above , the following s tring ne e ds to appe nde d to the ke rne l command line :

boot=UUID=05c000f1-f899-467b-a4d9-d5ca4424c797

5. Re boot your s ys te m.

Should you re quire s trict FIPS compliance , the fips=1 ke rne l option ne e ds to be adde d to the ke rne l command line during s ys te m ins tallation s o that ke y ge ne ration is done with FIPS approve d algorithms and continuous monitoring te s ts in place . Us e rs s hould als o e ns ure that the s ys te m has ple nty of e ntropy during the ins tallation proce s s by moving the mous e around, or if no mous e is available , e ns uring that many ke ys troke s are type d.

The re comme nde d amount of ke ys troke s is 256 and more . Le s s than 256 ke ys troke s may ge ne rate a non-unique ke y.

7.2. Nat ional Indust rial Securit y Program Operat ing Manual (NISPOM)

The NISPOM (als o calle d DoD 5220.22-M), as a compone nt of the National Indus trial Se curity Program (NISP), e s tablis he s a s e rie s of proce dure s and re quire me nts for all gove rnme nt contractors with re gard to clas s ifie d information. The curre nt NISPOM is date d Fe bruary 28, 2006, with incorporate d major change s from March 28, 2013. The NISPOM docume nt can be downloade d from the following URL: http://www.nis pom.org/NISPOM-download.html.

7.3. Payment Card Indust ry Dat a Securit y St andard (PCI DSS)

From https ://www.pcis e curitys tandards .org/about/inde x.s html: The PCI Security Standards

management, education, and awareness of the PCI Security Standards, including the Data Security Standard (DSS).

You can download the PCI DSS s tandard from

https ://www.pcis e curitys tandards .org/s e curity_s tandards /pci_ds s .s html.

7.4. Securit y T echnical Implement at ion Guide

A Se curity Te chnical Imple me ntation Guide or STIG is a me thodology for s tandardize d s e cure ins tallation and mainte nance of compute r s oftware and hardware .

Se e the following URL for more information on STIG:

http://ias e .dis a.mil/s tigs /Page s /inde x.as px.