STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package.

DISA Rule

SV-230254r627750_rule

Vulnerability Number

V-230254

Group Title

SRG-OS-000250-GPOS-00093

Rule Version

RHEL-08-010293

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS 140-2-approved algorithms with the following command:

$ sudo fips-mode-setup --enable

A reboot is required for the changes to take effect.

Check Contents

Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms:

Verify that system-wide crypto policies are in effect:

$ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf

.include /etc/crypto-policies/back-ends/opensslcnf.config

If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding.

Verify which system-wide crypto policy is in use:

$ sudo update-crypto-policies --show

FIPS

If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.

Vulnerability Number

V-230254

Documentable

False

Rule Version

RHEL-08-010293

Severity Override Guidance

Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms:

Verify that system-wide crypto policies are in effect:

$ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf

.include /etc/crypto-policies/back-ends/opensslcnf.config

If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding.

Verify which system-wide crypto policy is in use:

$ sudo update-crypto-policies --show

FIPS

If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.

Check Content Reference

M

Target Key

2921

Comments