AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

STIG ID: ALMA-09-004320  |  SRG: SRG-OS-000033-GPOS-00014 |  Severity: high |  CCI: CCI-000068,CCI-002450,CCI-000877 |  Vulnerability Id: V-269126

Vulnerability Discussion

FIPS 140-3-validated packages are available from TuxCare here: https://tuxcare.com/fips-for-almalinux/

The original community packages must be replaced with the versions that have gone through the CMVP.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000125-GPOS-00065

Check

Verify that AlmaLinux OS 9 is using the TuxCare FIPS packages with the following command:

$ rpm -qa | grep -E '^(gnutls|nettle|nss|openssl|libgcrypt|kernel)-[0-9]+' | grep -v tuxcare

If the command returns anything, this is a finding.

Fix

Ensure FIPS-validated packages are in use instead of OS defaults using the following commands:

$ dnf -y upgrade
$ reboot

After rebooting into a FIPS kernel, remove the OS default kernel packages, using for example:

$ dnf remove kernel-5.14.0-284.11.1.el9_2.x86_64 kernel-5.14.0-284.30.1.el9_2.x86_64
$ dnf autoremove
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.