Security and hardening tasks

Enabling FIPS mode

FIPS includes standards for cryptographic operations and can be configured as required.

First, you must add the configuration from fips to your container build.

If you are using bootc-image-builder or bootc install to-disk, there are currently no further steps required for system installation; however, see below.

Usage with Anaconda

When performing an Anaconda installation you must additionally set fips=1 on the kernel commandline for the installation environment.

This is necessary because the Anaconda installer may itself perform cryptographic operations such as setting up LUKS encrypted volumes.

crypto-policies and ca-trust configuration

Bootc systems gather their initial state from the Container it was deployed from, any configuration under /etc will be automatically updated, deleted or replaced by any deployment done using bootc.

However, any file modified in any way after a deployment will be 100% the responsibility of the system administrator and will no longer be touched by bootc even if those files are updated in the containers the system is receiving updates from.

This is important to highlight when dealing with certificates, denylists/allowlists or crypto policies. If on the fly changes need to happen without a deployment which will require a reboot, the system administrator needs to be aware that manual updates will be required every time a package touches the sensitive configuration.

As an example a system administrator trying to prevent changes to crypto policies at runtime and require all changes to come from the image can do the following:

FROM quay.io/centos-bootc/centos-bootc:stream10
RUN <

This will prevent admins from changing /etc/crypto-policies by running update-crypto-policies manually. They should see an output similar to:

$ update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Error saving config for bind
Keeping original configuration
Error saving config for gnutls
…
Keeping original configuration
…
Error updating current policy dump
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

Similarly a system administrator could mask update-ca-trust to prevent running it during runtime.

On the other hand, if the system administrator needs to control the ca-trust, crypto-policies at runtime they can run update-ca-trust or update-crypto-policies after manually modifying the configs and again after update (once deployment is completed and the system is rebooted) to restore their respective configurations in /etc to an expected state. This could be done with systemd drop-in or manually.

We understand this behavior might not be optimal if you need to apply an update without a deployment and rebooting, we are exploring alternatives for future bootc version on this Github issue.

Want to help? Learn how to contribute to Fedora Docs