Check: RHEL-09-671020
RHEL 9 STIG:
RHEL-09-671020
(in versions v1 r3 through v1 r1)
Title
RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms. (Cat II impact)
Discussion
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
Check Content
Verify that the IPsec service uses the system crypto policy with the following command: Note: If the ipsec service is not installed, this requirement is Not Applicable. $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf /etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.
Fix Text
Configure Libreswan to use the system cryptographic policy. Add the following line to "/etc/ipsec.conf": include /etc/crypto-policies/back-ends/libreswan.config
Additional Identifiers
Rule ID: SV-258232r926683_rule
Vulnerability ID: V-258232
Group Title: SRG-OS-000033-GPOS-00014
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Controls
| Number | Title |
|---|---|
| AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |