Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting up authentication clients using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network authentication with Kerberos
    6. 8 Active Directory support
    7. 9 Setting up a freeRADIUS server
  5. II Local security
    1. 10 Physical security
    2. 11 Software management
    3. 12 File management
    4. 13 Encrypting partitions and files
    5. 14 Storage encryption for hosted applications with cryptctl
    6. 15 User management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access control lists in Linux
    12. 21 Intrusion detection with AIDE
  6. III Network security
    1. 22 X Window System and X authentication
    2. 23 SSH: secure network operations
    3. 24 Masquerading and firewalls
    4. 25 Configuring a VPN server
    5. 26 Managing a PKI with XCA, X certificate and key manager
    6. 27 Improving network security with sysctl variables
    7. 28 Enabling FIPS 140-2
  7. IV Confining privileges with AppArmor
    1. 29 Introducing AppArmor
    2. 30 Getting started
    3. 31 Immunizing programs
    4. 32 Profile components and syntax
    5. 33 AppArmor profile repositories
    6. 34 Building and managing profiles with YaST
    7. 35 Building profiles from the command line
    8. 36 Profiling your Web applications using ChangeHat
    9. 37 Confining users with pam_apparmor
    10. 38 Managing profiled applications
    11. 39 Support
    12. 40 AppArmor glossary
  8. V SELinux
    1. 41 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 42 Understanding Linux audit
    2. 43 Setting up the Linux audit framework
    3. 44 Introducing an audit rule set
    4. 45 Useful resources
  10. A Achieving PCI DSS compliance
  11. B GNU licenses
Applies to SUSE Linux Enterprise Server 15 SP3

28 Enabling FIPS 140-2 Edit source

The Federal Information Processing Standard 140-2 (FIPS 140-2) is a security standard for cryptographic modules. Modules are certified by the National Institute of Standards and Technology (NIST, see https://csrc.nist.gov/projects/cryptographic-module-validation-program). See https://www.suse.com/support/security/certifications/ for a list of certified modules.

28.1 Installing FIPS Edit source

When you are installing a new instance of SUSE Linux Enterprise, select the patterns-server-enterprise-fips pattern. Then, after the installation is complete, enable FIPS by running the steps in Section 28.2, “Enabling FIPS”.

On an existing installation, install patterns-server-enterprise-fips, then follow the steps in Section 28.2, “Enabling FIPS”.

28.2 Enabling FIPS Edit source

Enabling FIPS takes a few steps. First, read the /usr/share/doc/packages/openssh-common/README.FIPS and /usr/share/doc/packages/openssh-common/README.SUSE files, from the openssh-common package. These contain important information about FIPS on SUSE Linux Enterprise.

Check if FIPS is already enabled:

tux > sudo sysctl -a | grep fips
crypto.fips_enabled = 0

crypto.fips_enabled = 0 indicates that it is not enabled. A return value of 1 means that it is enabled.

Then edit /etc/default/grub. If /boot is not on a separate partition, add fips=1 to GRUB_CMDLINE_LINUX_DEFAULT, like the following example:

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1"

If /boot is on a separate partition, specify which partition, like the following example, substituting the name of your boot partition:

GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1 boot=/dev/sda1"

Save your changes, and rebuild your GRUB configuration and initramfs image:

tux > sudo grub2-mkconfig -o /boot/grub2/grub.cfg
tux > sudo mkinitrd

Reboot, then verify your changes. The following example shows that FIPS is enabled:

tux > sudo sysctl -a | grep fips
crypto.fips_enabled = 1

After enabling FIPS it is possible that your system will not boot. If this happens, reboot to bring up the GRUB menu. Press E to edit your boot entry, and delete the fips entry from the linux line. Press the F10 key to boot. This is a temporary change, and most likely the problem is an error in /etc/default/grub. Correct it, rebuild GRUB and initramfs, then reboot.

Print this page