Detections
Analytics
OL08-00-010181 - OL 8 must implement a FIPS 140-3-compliant systemwide cryptographic policy.
Information
Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Using weak or untested encryption algorithms undermines the purposes of using encryption to protect data.Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Solution
Configure OL 8 to use a FIPS 140-3-compliant systemwide cryptographic policy.Create a subpolicy for enhancements to the base systemwide crypto-policy by creating the file /etc/crypto-policies/policies/modules/STIG.pmod with the following content:
# Define ciphers and MACs for OpenSSH and libssh
cipher@SSH=AES-256-GCM AES-256-CTR AES-128-GCM AES-128-CTR
mac@SSH=HMAC-SHA2-512 HMAC-SHA2-256
Apply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command:
$ sudo update-crypto-policies --set FIPS:STIG
Note: If additional subpolicies are being employed, they must be added to the update-crypto-policies command.
To make the cryptographic settings effective for already running services and applications, restart the system:
$ sudo reboot
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V2R8_STIG.zip
Item Details
Audit Name: DISA Oracle Linux 8 STIG v2r8
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-13, CAT|I, CCI|CCI-002450, Rule-ID|SV-283445r1188529_rule, STIG-ID|OL08-00-010181, Vuln-ID|V-283445
Plugin: Unix
Control ID: 8e5b697577c56c5c6b35c22ac46260e97d052bdcd4e9e6114381207ebf884f51