RHEL 9 crypto policy files must match files shipped with the operating system.

STIG ID: RHEL-09-672015  |  SRG: SRG-OS-000478-GPOS-00223 | Severity: high |  CCI: CCI-002450

Vulnerability Discussion

The RHEL 9 package "crypto-policies" defines the cryptography policies for the system.

If the files are changed from those shipped with the operating system, it may be possible for RHEL 9 to use cryptographic functions that are not FIPS 140-3 approved.

Satisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176

Check

Verify that the RHEL 9 package "crypto-policies" has not been modified with the following command:

$ rpm -V crypto-policies

If the command has any output, this is a finding.

Fix

Reinstall the crypto-policies package to remove any modifications.

$ sudo dnf reinstall crypto-policies
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.