STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

DISA Rule

SV-230223r627750_rule

Vulnerability Number

V-230223

Group Title

SRG-OS-000033-GPOS-00014

Rule Version

RHEL-08-010020

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Configure the operating system to implement DoD-approved encryption by following the steps below:

To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.

Enable FIPS mode after installation (not strict FIPS compliant) with the following command:

$ sudo fips-mode-setup --enable

Reboot the system for the changes to take effect.

Check Contents

Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.

Check to see if FIPS mode is enabled with the following command:

$ sudo fipscheck

usage: fipscheck [-s <hmac-suffix>] <paths-to-files>

fips mode is on

If FIPS mode is "on", check to see if the kernel boot parameter is configured for FIPS mode with the following command:

$ sudo grub2-editenv - list | grep fips

kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82

If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:

$ sudo cat /proc/sys/crypto/fips_enabled

1

If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.

Vulnerability Number

V-230223

Documentable

False

Rule Version

RHEL-08-010020

Severity Override Guidance

Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.

Check to see if FIPS mode is enabled with the following command:

$ sudo fipscheck

usage: fipscheck [-s <hmac-suffix>] <paths-to-files>

fips mode is on

If FIPS mode is "on", check to see if the kernel boot parameter is configured for FIPS mode with the following command:

$ sudo grub2-editenv - list | grep fips

kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82

If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:

$ sudo cat /proc/sys/crypto/fips_enabled

1

If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.

Check Content Reference

M

Target Key

2921

Comments