RHEL 9 must implement a systemwide encryption policy.

STIG ID: RHEL-09-672045  |  SRG: SRG-OS-000396-GPOS-00176 |  Severity: medium |  CCI: CCI-002450,CCI-002890,CCI-003123 |  Vulnerability Id: V-258241

Vulnerability Discussion

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Check

Show the configured systemwide cryptographic policy by running the following command:

$ sudo update-crypto-policies --show
FIPS

If the main policy name is not "FIPS", this is a finding.

If the AD-SUPPORT subpolicy module is included (e.g., "FIPS:AD-SUPPORT"), and Active Directory support is not documented as an operational requirement with the information system security officer (ISSO), this is a finding.

If the NO-ENFORCE-EMS subpolicy module is included (e.g., "FIPS:NO-ENFORCE-EMS"), and not enforcing EMS is not documented as an operational requirement with the ISSO, this is a finding.

If any other subpolicy module is included, this is a finding.

Fix

Configure the FIPS policy as the systemwide cryptographic policy by running the following command:

$ sudo update-crypto-policies --set FIPS

Reboot the system to ensure that all aspects of the change take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.