FIPS Mode on Centos9

So, you’ve installed CentOS 9 on a server, but you’re not a 1337 information security architect and don’t really know where to get started.

That’s fine. You still need to do some basic hardening of your machine, or Vladimir Putin will start mining bitcoin on your new server in between using it as a trash nest to launch attacks on other peoples’ servers with. Even then, there’s no guarantee, but, you can make it harder to do that to you (and your reputation — yes, people out there judge you based on your servers’ security posture).

The first thing you should be aware of is that there are whole organizations whose purpose it is to write security standards that you can learn and adhere to. One of particular note is the National Institute of Standards and Technology.

But, if you cared about stuff like that, you wouldn’t be reading this.

So there are two standards collections we’re going to barely talk about here, one is called FIPS and the other is called the DISA STIG. If you take a few steps revolving these two standards you can get a much more secure system.

There are many more things on top of this guide that you can do to further harden your systems depending on the type of attack you may be concerned about, or the topology of the solution you are building, but those will be out of scope for the purpose of this writing. For this post, we’ll just be covering FIPS mode. My next post will cover an attempt to apply the DISA STIG to a CENTOS 9 Stream system.

Let’s Get Started

Before you touch anything on your fresh install, update to the latest set of packages available through yum.

yum -y update

Enabling FIPS Mode

First, we’ll set up FIPS mode.

Install the dracut-cips or dracut-fips-aesni packages depending on your cpu instruction set.

yum -y install dracut-fips dracut-fips-aesni

Run dracut:

dracut -v -f

Find out what boot partition you’re using:

df /boot | tail -n 1 | awk '{ print $1; }'

Get the UUID for that partition using the above’s output:

blkid $above_output

Or, if you’re lazy:

blkid $(df /boot | \
  tail -n 1 | \
  awk '{ print $1; }') | \
  sed -E 's/^.*UUID="(.*)"\sB.*$/\1/g'

Once you’ve got your UUID for /boot, open up your /etc/default/grub file:

vim /etc/default/grub

Append the line that starts with GRUB_CMDLINE_LINUX with fips=1

If your /boot partition is a separate mount than your root filesystem, then also append:

boot=UUID=<< YOUR_UUID >>

Save and exit, and then you’ll want to regenerate grub.cfg with:

grub2-mkconfig -o /etc/grub2.cfg

Now in the case of Centos 9, at least in my case on a Linode Centos 9 image, I got an error like this:

[root@localhost ~]# grub2-mkconfig -o /etc/grub2.cfg 
Generating grub configuration file ...
/etc/grub.d/00_tuned: line 26: /etc/tuned/bootcmdline: No such file or directory

Though ridiculous and unprofessional for a release, this is the new reality for CentOS, so, just go with it and yum install tuned and move on with your life before running grub2-mkconfig -o /etc/grub2.cfg again so that you don’t have to dig around inside of grub to make it do what it was designed to do.

Provided you read closely and followed the steps outlined here, you can now reboot and you should see that your machine is running in FIPS mode.

Run reboot:

reboot

Now let’s verify our newly booted system is actually running compliantly. Truth be told, if something failed, your system probably won’t even boot.

cat /proc/sys/crypto/fips_enabled 

The result of the above call should return 1.

Congratulations, your system is running with FIPS mode enabled.