AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

STIG ID: ALMA-09-004320  |  SRG: SRG-OS-000033-GPOS-00014 |  Severity: high |  CCI: CCI-000068,CCI-002450,CCI-000877 |  Vulnerability Id: V-269126

Vulnerability Discussion

FIPS 140-3 validated packages are available from TuxCare.

The original community packages must be replaced with the versions that have gone through the CMVP.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000125-GPOS-00065

Check

Verify that AlmaLinux OS 9 is using the TuxCare FIPS packages with the following command:

$ rpm -qa | grep -E '^(gnutls|nettle|nss|openssl|libgcrypt|kernel)-[0-9]+' | grep -v tuxcare

If the command returns anything, this is a finding.

Fix

Ensure FIPS-validated packages are in use instead of OS defaults using the following commands:

$ dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5 gnutls-3.7.6-23.el9_2.tuxcare.3 nettle-3.8-3.el9_2.tuxcare.1 libgcrypt-1.10.0-10.el9_2.tuxcare.3 nss-3.90.0-6.el9_2.tuxcare.1

$ dnf -y upgrade

$ grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.5.$(uname -i)

$ reboot

After rebooting into a FIPS kernel, remove the OS default kernel packages, using for example:

$ dnf remove kernel-5.14.0-284.11.1.el9_2.x86_64 kernel-5.14.0-284.30.1.el9_2.x86_64

$ dnf autoremove
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.