Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
Verify RHEL 9 is set to use a FIPS 140-3-compliant systemwide cryptographic policy with the following command:
$ update-crypto-policies --show
FIPS
If the systemwide crypto policy is not set to "FIPS", this is a finding.
Note: If subpolicies have been configured, they could be listed in a colon-separated list starting with "FIPS" as follows FIPS:<SUBPOLICY-NAME>. This is not a finding.
Note: Subpolicies like AD-SUPPORT must be configured according to the latest guidance from the operating system vendor.
Verify the current minimum crypto-policy configuration with the following commands:
If the "hash" values do not include at least the following FIPS 140-3-compliant algorithms "SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256", this is a finding.
If there are algorithms that include "SHA1" or a hash value less than "224" this is a finding.
If the "min_rsa_size" is not set to a value of at least "2048", this is a finding.
If these commands do not return any output, this is a finding.
Fix
Configure RHEL 9 to use a FIPS 140-3-compliant systemwide cryptographic policy.
Create a subpolicy for enhancements to the base systemwide crypto-policy by creating the file /etc/crypto-policies/policies/modules/STIG.pmod with the following content:
# Define ciphers and MACs for OpenSSH and libssh cipher@SSH=AES-256-GCM AES-256-CTR AES-128-GCM AES-128-CTR mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256
Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command:
$ sudo update-crypto-policies --set FIPS:STIG
Note: If additional subpolicies are being employed, they must be added to the update-crypto-policies command.
To make the cryptographic settings effective for already running services and applications, restart the system: