documentation_complete: true
title: "Enable Dracut FIPS Module"
description: |-
{{% if 'rhel' not in product %}}
To enable FIPS mode, run the following command:
fips-mode-setup --enable
{{% else %}}
{{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
The installer must be booted with fips=1 for the system to have FIPS mode
enabled. Enabling FIPS mode on a preexisting system is not supported. If
this rule fails on an installed system, then this is a permanent
finding and cannot be fixed.
{{% endif %}}
To enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
rationale: |-
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.
severity: high
identifiers:
cce@rhcos4: CCE-82548-9
cce@rhel8: CCE-82155-3
cce@rhel9: CCE-86547-7
cce@rhel10: CCE-88066-6
references:
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12
ospp: FCS_RBG_EXT.1
srg: SRG-OS-000478-GPOS-00223
stigid@ol8: OL08-00-010020
ocil_clause: 'the Dracut FIPS module is not enabled'
ocil: |-
To verify that the Dracut FIPS module is enabled, run the following command:
grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf
The output should look like this:
add_dracutmodules+=" fips "
platform: not bootc and system_with_kernel and not osbuild
warnings:
- general: |-
{{% if 'rhel' not in product %}}
The system needs to be rebooted for these changes to take effect.
{{% else %}}
To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
{{% endif %}}
- regulatory: |-
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process.
fixtext: |-
Configure {{{ full_name }}} to run in FIPS mode.
Run the following command to enable FIPS mode:
$ sudo fips-mode-setup --enable
Check the /etc/dracut.conf.d/40-fips.conf file and make sure it includes the following line:
add_dracutmodules+=" fips "
The system needs to be rebooted for these changes to take effect.
srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards'