For some reason, https://ubuntu.com/blog/running-fips-140-workloads-on-ubuntu in the enable fips section instructed to do a "ua enable fips-updates" instead of ua enable fips and now my system is not compliant. The reason for this is because the compliance scripts look for a file called fips_enabled inside /proc/sys/crypto with a variable "fips" set equal to 1. Enabling/installing fips will do this for you automatically but enabling fips-updates does not.
Some things that I have tried.
Set fips=1 in /etc/default/grub in GRUB_CMDLINE_LINUX_DEFAULT
Disable fips-updates, uninstalling ua, reinstalling ua, and then trying to enable fips, but the system detects that fips-updates was previously allowed on the system and therefore fips cannot be enabled.
Best Answer
When enabling FIPS with UA client,
fips
is FIPS Certified, andfips-updates
is FIPS Compliant.Alas, once you go from
fips
tofips-updates
you can't go backwards tofips
again. It's a 1 way journey.The distinction between FIPS Certified and FIPS Compliant, is that
fips-updates
has the benefit of security patching, and even supports live kernel patching through Livepatch.If you need to audit your fleet to determine what FIPS configuration has been applied where, you can audit UA Client FIPS configurations at scale with Landscape