RHEL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.

An XCCDF Rule

Description

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

ID: SV-258241r1051259_rule
Version: RHEL-09-215105
Severity: Medium
References: CCI-002450 CCI-002890 CCI-003123
Updated: about 2 months ago

Remediation Templates

Configure RHEL 9 to use a FIPS 140-3 compliant systemwide cryptographic policy.
 
Create subpolicies for enhancements to the systemwide crypto-policy with the following commands:
 
Create or edit the SCOPES-AND-WILDCARDS policy module in a text editor and insert options that modify the systemwide cryptographic policy as follows:
$ sudo vi /etc/crypto-policies/policies/modules/SCOPES-AND-WILDCARDS.pmod 
Add the following lines to the policy:
# Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK)
cipher@TLS = -CHACHA20-POLY1305
 
# Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH)
cipher@SSH = -*-CBC
 
Create or edit the OPENSSH-SUBPOLICY module in a text editor and insert options that modify the systemwide crypto-policy as follows:
$ sudo vi /etc/crypto-policies/policies/modules/OPENSSH-SUBPOLICY.pmod
 
Add the following lines to the policy:
# Define ciphers for OpenSSH
cipher@SSH=AES-256-GCM AES-128-GCM AES-256-CTR AES-128-CTR
 
# Define MACs for OpenSSH
mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256
 
Create or edit the REQUIRE.pmod file and add the following lines to include the subpolicies in the FIPS configuration with the following command:

$ sudo vi /etc/crypto-policies/policies/modules/REQUIRE.pmod
 
Add the following lines to REQUIRE.pmod:
@OPENSSH-SUBPOLICY
@SCOPES-AND-WILDCARDS
 
Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command:
 
$ sudo update-crypto-policies --set FIPS

Note: If additional subpolicies are being employed, they should be added to the REQUIRE.pmod as well. REQUIRE.pmod is included in the systemwide crypto-policy when it is set.
 
To make the cryptographic settings effective for already running services and applications, restart the system:
$ sudo reboot

RHEL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.

Description

Remediation Templates

A Manual Procedure