AlmaLinux OS 9 must use the TuxCare FIPS repository.

STIG ID: ALMA-09-004310  |  SRG: SRG-OS-000033-GPOS-00014 |  Severity: high |  CCI: CCI-000068,CCI-000877,CCI-002450 |  Vulnerability Id: V-269125

Vulnerability Discussion

FIPS 140-3 validated packages are available from TuxCare.

The TuxCare repositories provide the packages and updates not found in the community repositories.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223

Check

Verify that AlmaLinux OS 9 is using the TuxCare FIPS repositories with the following command:

$ dnf repolist | grep tuxcare
tuxcare-base TuxCare Enterprise Support for AlmaLinux OS 9.2 - Base
tuxcare-esu TuxCare Enterprise Support for AlmaLinux OS 9.2 - ESU
tuxcare-fips TuxCare Enterprise Support for AlmaLinux OS 9.2 - FIPS Compliance Extension

If the 3 tuxcare-* repositories above are not enabled, this is a finding.

Fix

FIPS-validated packages are available from TuxCare as part of the Enterprise Support for AlmaLinux product line. Access the packages by purchasing an ESU license key.

Configure the operating system to implement FIPS mode with the following commands:

$ dnf install -y https://repo.tuxcare.com/tuxcare/tuxcare-release-latest-9.noarch.rpm

$ tuxctl ---fips --license-key ESU-XXXXXXXXXXXXXXXXXXX

$ dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5 gnutls-3.7.6-23.el9_2.tuxcare.3 nettle-3.8-3.el9_2.tuxcare.1 libgcrypt-1.10.0-10.el9_2.tuxcare.3 nss-3.90.0-6.el9_2.tuxcare.1

$ grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.5.$(uname -i)

$ fips-mode-setup --enable

$ reboot
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.