Check: SOL-11.1-060060
Solaris 11 SPARC STIG:
SOL-11.1-060060
(in versions v2 r10 through v1 r10)
Title
The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. (Cat II impact)
Discussion
FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware based encryption modules.
Check Content
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. The Crypto Management profile is required to execute this command. Check to ensure that FIPS-140 encryption mode is enabled. # cryptoadm list fips-140| grep -c "is disabled" If the output of this command is not "0", this is a finding.
Fix Text
The Crypto Management profile is required to execute this command. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Enable FIPS-140 mode. # pfexec cryptoadm enable fips-140 Reboot the system as requested.
Additional Identifiers
Rule ID: SV-219975r854535_rule
Vulnerability ID: V-219975
Group Title: SRG-OS-000396
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001148 |
The organization employs FIPS-validated or NSA-approved cryptography to implement digital signatures. |
| CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
Controls
| Number | Title |
|---|---|
| SC-13 |
Cryptographic Protection |