AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

An XCCDF Rule

Description

FIPS 140-3 validated packages are available from TuxCare. The original community packages must be replaced with the versions that have gone through the CMVP. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000125-GPOS-00065

ID: SV-269126r1050008_rule
Version: ALMA-09-004320
Severity: High
References: CCI-000068 CCI-000877 CCI-002450
Updated: about 2 months ago

Remediation Templates

Ensure FIPS-validated packages are in use instead of OS defaults using the following commands:

$ dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5 gnutls-3.7.6-23.el9_2.tuxcare.3 nettle-3.8-3.el9_2.tuxcare.1 libgcrypt-1.10.0-10.el9_2.tuxcare.3 nss-3.90.0-6.el9_2.tuxcare.1

$ dnf -y upgrade
$ grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.5.$(uname -i)

$ reboot

After rebooting into a FIPS kernel, remove the OS default kernel packages, using for example:

$ dnf remove kernel-5.14.0-284.11.1.el9_2.x86_64 kernel-5.14.0-284.30.1.el9_2.x86_64

$ dnf autoremove

AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

Description

Remediation Templates

A Manual Procedure