6.7 Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version

Information

Install, configure, and use OpenSSL on a platform that has a NIST certified FIPS 140-2 installation of OpenSSL. This provides PostgreSQL instances the ability to generate and validate cryptographic hashes to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.
Rationale:
Federal Information Processing Standard (FIPS) Publication 140-2 is a computer security standard developed by a U.S. Government and industry working group for validating the quality of cryptographic modules. Use of weak, or untested, encryption algorithms undermine the purposes of utilizing encryption to protect data. PostgreSQL uses OpenSSL for the underlying encryption layer.
The database and application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant. The security functions validated as part of FIPS 140-2 for cryptographic modules are described in FIPS 140-2 Annex A. Currently only Red Hat Enterprise Linux is certified as a FIPS 140-2 distribution of OpenSSL. For other operating systems, users must obtain or build their own FIPS 140-2 OpenSSL libraries.

Solution

Configure OpenSSL to be FIPS compliant. PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to be FIPS 140-2 compliant, see the official RHEL Documentation. Below is a general summary of the steps required:
Install the dracut-fips package
$ yum -y install dracut-fips
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.cisp.com
* extras: mirror.den1.denvercolo.net
* updates: mirror.math.princeton.edu
Resolving Dependencies
--> Running transaction check
---> Package dracut-fips.noarch 0:004-411.el6 will be installed
--> Processing Dependency: hmaccalc for package: dracut-fips-004-411.el6.noarch
--> Running transaction check
---> Package hmaccalc.x86_64 0:0.9.12-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
dracut-fips noarch 004-411.el6 base 38 k
Installing for dependencies:
hmaccalc x86_64 0.9.12-2.el6 base 22 k

Transaction Summary
================================================================================
Install 2 Package(s)

Total download size: 60 k
Installed size: 108 k
Downloading Packages:
(1/2): dracut-fips-004-411.el6.noarch.rpm | 38 kB 00:00
(2/2): hmaccalc-0.9.12-2.el6.x86_64.rpm | 22 kB 00:00
--------------------------------------------------------------------------------
Total 334 kB/s | 60 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : hmaccalc-0.9.12-2.el6.x86_64 1/2
Installing : dracut-fips-004-411.el6.noarch 2/2
Verifying : hmaccalc-0.9.12-2.el6.x86_64 1/2
Verifying : dracut-fips-004-411.el6.noarch 2/2

Installed:
dracut-fips.noarch 0:004-411.el6

Dependency Installed:
hmaccalc.x86_64 0:0.9.12-2.el6

Complete!
Recreate the initramfs file
$ dracut -f
Modify the kernel command line of the current kernel in the /boot/grub/grub.conf file by adding the following option: fips=1
Reboot the system for changes to take effect.
Verify fips_enabled according to Audit Procedure above.

See Also

https://workbench.cisecurity.org/files/2235

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: 817d33da46235f57b1a1e764621349e3dad49e03cc539591af37fff6f340b9d8