The HYCU server must use FIPS-validated algorithms for authentication to a cryptographic module and Keyed-Hash Message Authentication Code (HMAC) to protect the integrity and confidentiality of remote maintenance sessions.
An XCCDF Rule
Description
<VulnDiscussion>Unapproved algorithms used by the cryptographic module are not validated and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. Remote maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or an internal network. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. However, authentication algorithms must configure security processes to use only FIPS-approved and NIST-recommended authentication algorithms. This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Satisfies: SRG-APP-000179-NDM-000265, SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-246856r768232_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Stop the HYCU web server:
sudo systemctl stop grizzly.service
Enable FIPS-compliant mode:
sudo /opt/grizzly/bin/enable_fips.sh