STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package.

DISA Rule

SV-230256r627750_rule

Vulnerability Number

V-230256

Group Title

SRG-OS-000250-GPOS-00093

Rule Version

RHEL-08-010295

Severity

CAT II

CCI(s)

• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

Weight

10

Fix Recommendation

Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":

+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0

A reboot is required for the changes to take effect.

Check Contents

Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:

$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config

+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM

If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.

Vulnerability Number

V-230256

Documentable

False

Rule Version

RHEL-08-010295

Severity Override Guidance

Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions:

$ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config

+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM

If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.

Check Content Reference

M

Target Key

2921

Comments