CMMC FIPS Mode Enabled

To gain CMMC compliance, the Red Hat Enterprise Linux 8 operating system or any of it’s variants must enable FIPS mode.  FIPS mode can be a difficult hurdle, where it doesn’t have to be.  While researching a recent problem that was encountered on a FIPS enabled system, more questions than answered were raised.  As you progress through this article, you may see what is meant by the last statement.

What is FIPS?

A great summary of FIPS is provided by Red Hat as “[t]he Federal Information Processing Standard (FIPS) Publication 140-2, is a computer security standard, developed by a U.S. Government and industry working group to validate the quality of cryptographic modules.”  While hardening the Red Hat operating system to fall into CMMC compliance,

What is CMMC?

“CMMC stands for “Cybersecurity Maturity Model Certification” and is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.” – Office of the Under Secretary of Defense for Acquistion & Sustainment.

System Hardening

Part of the system hardening enables FIPS mode.  Part of that process includes running of a couple of commands.  One command is the “update-crypto-policies” command.  This command modifies the configuration file /etc/crypto-policies/config to FIPS:OSPP and should require a reboot.

#/usr/bin/update-crypto-policies --set <policy>:<optional subpolicy>
/usr/bin/update-crypto-policies --set FIPS:OSPP

What is interesting about this FIPS:OSPP is that it is not listed in the man. What is listed are LEGACY, DEFAULT, FUTURE, and FIPS.

man crypto-policies

Reading through a Red Hat Customer Portal article, KeyExchange algorithm negotiation failed to access RHEL8 ssh server with FIPS:OSPP crypto policy enabled.,  there appears to be a significant difference between FIPS and FIPS:OSPP.

RHEL8’s key exchange algorithm with FIPS crypto policy is enabled.

ecdh-sha2-nistp256,
ecdh-sha2-nistp384,
ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512

RHEL8‘s key exchange algorithm when FIPS:OSPP crypto policy is enabled

ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group14-sha256

Note that there are fewer key exchanges.

Custom Policies

From the man pages of update-crypto-polices. Custom policies can take on the form of a subpolicy or policy modifier.

This form modifies aspects of any base policy file by removing or adding algorithms or protocols. The subpolicies can be appended on the update-crypto-policies –set command line to the base policy separated by the : character. There can be multiple subpolicies appended.

[S]uppose [a] subpolicy NO-SHA1 that drops support for SHA1 hash and subpolicy GOST that enables support for the various algorithms specified in Russian GOST standards. You can set the DEFAULT policy with disabled SHA1 support and enabled GOST support by running the following command:

update-crypto-policies –set DEFAULT:NO-SHA1:GOST

This command generates and applies configuration that will be modification of the DEFAULT policy with changes specified in the NO-SHA1 and GOST subpolicies.

Now that there is an understanding of the policies, I had tracked down the directories. The polices directories and the symlinks to them.  Mystery solved.

[root@admin modules]# ll /usr/share/crypto-policies/policies/
total 20
-rw-r--r--. 1 root root 2121 Feb 9 12:10 DEFAULT.pol
-rw-r--r--. 1 root root 364 Feb 9 12:10 EMPTY.pol
-rw-r--r--. 1 root root 1680 Feb 9 12:10 FIPS.pol
-rw-r--r--. 1 root root 2029 Feb 9 12:10 FUTURE.pol
-rw-r--r--. 1 root root 2543 Feb 9 12:10 LEGACY.pol
drwxr-xr-x. 2 root root 113 Apr 15 12:31 modules
[root@admin modules]# ll /usr/share/crypto-policies/policies/modules/
total 20
-rw-r--r--. 1 root root 288 Feb 9 12:10 AD-SUPPORT.pmod
-rw-r--r--. 1 root root 118 Feb 9 12:10 ECDHE-ONLY.pmod
-rw-r--r--. 1 root root 246 Feb 9 12:10 NO-CAMELLIA.pmod
-rw-r--r--. 1 root root 150 Feb 9 12:10 NO-SHA1.pmod
-rw-r--r--. 1 root root 2031 Feb 9 12:10 OSPP.pmod
[root@admin modules]# ll /etc/crypto-policies/back-ends/
total 4
lrwxrwxrwx. 1 root root 43 Jun 29 11:47 bind.config -> /usr/share/crypto-policies/DEFAULT/bind.txt
lrwxrwxrwx. 1 root root 45 Jun 29 11:47 gnutls.config -> /usr/share/crypto-policies/DEFAULT/gnutls.txt
lrwxrwxrwx. 1 root root 43 Jun 29 11:47 java.config -> /usr/share/crypto-policies/DEFAULT/java.txt
lrwxrwxrwx. 1 root root 43 Jun 29 11:47 krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt
lrwxrwxrwx. 1 root root 48 Jun 29 11:47 libreswan.config -> /usr/share/crypto-policies/DEFAULT/libreswan.txt
lrwxrwxrwx. 1 root root 45 Jun 29 11:47 libssh.config -> /usr/share/crypto-policies/DEFAULT/libssh.txt
-rw-r--r--. 1 root root 429 Jun 29 11:47 nss.config
lrwxrwxrwx. 1 root root 46 Jun 29 11:47 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt
lrwxrwxrwx. 1 root root 52 Jun 29 11:47 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
lrwxrwxrwx. 1 root root 49 Jun 29 11:47 opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt
lrwxrwxrwx. 1 root root 46 Jun 29 11:47 openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt
[root@admin modules]#

Revert

If you have an issue that cannot be explained or resolved, then reset the crypt policies.

/usr/bin/update-crypto-policies --set DEFAULT