Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added FIPS blog post #623

Merged
merged 16 commits into from
Oct 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions content/blog/2024-10-07-fips-validation-for-almalinux-update.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: "AlmaLinux 9.2 FIPS Validation Update"
type: blog
author:
name: "Noam Alum"
bio: "Automation Specialist at JetBackup"
image: /users/noam.jpeg
date: '2024-10-07'
images:
- /blog-images/2024/benny-we-need-an-image.png
post:
title: "FIPS Validation for AlmaLinux OS - update"
image: /blog-images/2024/fipsupdate.png
---

After a long wait ([view the previous blog post](https://almalinux.org/blog/2023-09-19-fips-validation-for-almalinux/)), the AlmaLinux 9.2 kernel received FIPS validation making it the first software implementation to receive a FIPS 140-3 ESV certificate using SHA3-256 as a conditioner. It's also the first EL9 distribution to get a FIPS 140-3 certificate for the kernel. View the certificate [here](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4750).

## What is FIPS?

When it comes to securing sensitive data, cryptographic standards play a crucial role. One of the most influential standards in this realm is **FIPS**, or **F**ederal **I**nformation **P**rocessing **S**tandards.

FIPS 140-3 is not just a Federal benchmark, it's recognized and respected worldwide, for instance, the European Union's [NIS 2 Directive](https://eur-lex.europa.eu/eli/dir/2022/2555) which focuses on network and information security mandates the use of *up-to-date encryption and cryptography leveraging established standards.* FIPS standards undergo extensive evaluations to ensure that cryptographic algorithms and implementations meet the highest security requirements, making it the gold standard for secure cryptographic practices across the globe.

Anyone who uses [AlmaLinux 9.2](/blog/almalinux-92-now-available/) can achieve FIPS compliance for FREE, the only thing you need to do is download the packages from the TuxCare repo [(docs)](https://docs.tuxcare.com/enterprise-support-for-almalinux/fips) and enable FIPS mode:

```bash
dnf -y install https://repo.tuxcare.com/fips/tuxcare-fips-release-latest-9.noarch.rpm
dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5
fips-mode-setup --enable
reboot
```

This allows people with less knowledge about cryptography to configure a strong baseline for implementing secure systems.

_Note: AlmaLinux 9.2 is no longer supported by the Foundation, and has been out of support since AlmaLinux 9.3 was released in [November of 2023](https://wiki.almalinux.org/release-notes/). Backporting security fixes to older versions is out of scope for the foundation, but [Tuxcare](https://tuxcare.com/) does provide that service to their customers. Since FIPS is primarily required by institutions that like support contracts, we strongly recommend anyone who's looking for it, talk to them._

### Testing

To test this, we can setup an HTTP server, for example [Apache](https://httpd.apache.org) - if you're interested, we have a comprehensive guide on [setting up a LAMP server](https://wiki.almalinux.org/series/LAMP-server.html) on AlmaLinux, but for now we can just run:

```bash
dnf -y install httpd mod_ssl
systemctl start httpd
```

If you were to scan the server using nmap, you would see something like this:

![nmap scan in fips mode](/blog-images/2024/nmap-fips.png)

For reference, with FIPS mode disabled you get the weaker TLSv1.2 and non-compliant ciphersuites using Edwards curves, SHA1 hashes and ChaCha20-Poly1305 ciphers:

![nmap scan in non-fips mode](/blog-images/2024/nmap-nonfips.png)

Another way to check your ciphers strength is to look them up on the [Ciphersuite Info](https://ciphersuite.info) website or using the [sslscan](https://github.com/rbsec/sslscan) tool.

### Whats next?

Simon John, the Security Certification Manager at [CloudLinux](https://cloudlinux.com/) has let me know that after AlmaLinux 9.5 gets released he is going to start working on the 9.6 validation, which hopefully will materialize faster than 9.2 due to improvements in the CMVP process aimed at reducing the backlog.

---

If you’re passionate about exploring new knowledge or sharing what you know, come join us in the [AlmaLinux Security Chat](https://chat.almalinux.org/almalinux/channels/security). It’s a great place to ask questions, exchange information, or just have a security-related chat. 😊
Binary file added static/blog-images/2024/fipsupdate.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/blog-images/2024/nmap-fips.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/blog-images/2024/nmap-nonfips.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading