Detections
Analytics

6.8 Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled

Information

Install, configure and use OpenSSL on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL. This provides PostgreSQL instances the ability to generate and validate cryptographic hashes to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.
Rationale:
Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard developed by a U.S. Government and industry working group for validating the quality of cryptographic modules. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Postgres uses OpenSSL for the underlying encryption layer.
The database and application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant. The security functions validated as part of FIPS 140-2 for cryptographic modules are described in FIPS 140-2 Annex A. Currently only Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of OpenSSL. For other operating systems, users must obtain or build their own FIPS 140-2 OpenSSL libraries.

Solution

Configure OpenSSL to be FIPS compliant. PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS 140-2 compliant, see the official RHEL Documentation. Below is a general summary of the steps required:
 Disable prelinking
$ echo PRELINKING=no > /etc/sysconfig/prelink
 Undo any prelinking on any system files
$ prelink -u -a
 Install the dracut-fips package
$ yum -y install dracut-fips
 Recreate the initramfs file
$ dracut -f
 Modify the kernel command line of the current kernel in the /boot/grub/grub.conf file by adding the following option: fips=1
 Reboot the system for changes to take effect.
 Verify fips_enabled according to Audit Procedure above.

See Also

https://workbench.cisecurity.org/files/2063

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CSCv6|14.2

Plugin: Unix

Control ID: a9c037e0527df036473a7f336599b018fa659ff6b2cd392c5d5ee809c91b1c44