Vulnerability Discussion

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174

Check

Verify RHEL 10 is set to use a FIPS 140-3-compliant systemwide cryptographic policy.

Verify the current systemwide crypto-policy with the following command:

$ update-crypto-policies --show
FIPS

If the systemwide crypto-policy is not set to "FIPS", this is a finding.

Verify the current minimum crypto-policy configuration with the following commands:

$ sudo grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol
hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
min_rsa_size = 2048

If the "hash" values do not include at least the following FIPS 140-3-compliant algorithms, this is a finding:

"SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256"

If any algorithms include "SHA1" or a hash value less than "224", this is a finding.

If the "min_rsa_size" is not set to a value of at least "2048", this is a finding.

If these commands do not return any output, this is a finding.

Fix

Configure RHEL 10 to use a FIPS 140-3-compliant systemwide cryptographic policy.

Set the systemwide crypto-policy to FIPS with the following command:

$ sudo update-crypto-policies --set FIPS
Setting system policy to FIPS

Note: Systemwide crypto-policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.