Nutanix AOS must enable FIPS mode to implement NIST FIPS-validated cryptography.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-254224 | NUTX-OS-001460 | SV-254224r846760_rule | High |
| Description |
|---|
| Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176 |
| STIG | Date |
|---|---|
| Nutanix AOS 5.20.x OS Security Technical Implementation Guide | 2022-08-24 |
Details
| Check Text ( C-57709r846758_chk ) |
|---|
| Confirm Nutanix AOS implements DoD-approved encryption to protect the confidentiality of remote access sessions. Determine if the "dracut-fips" package is installed with the following command: $ sudo yum list installed dracut-fips dracut-fips.x86_64-033-572.el7 If dracut-fips package is not installed, this is a finding. Determine if FIPS mode is enabled with the following command: $ fipscheck usage: fipscheck [-s fips mode is on If FIPS mode is "on", Determine if the kernel boot parameter is configured for FIPS mode with the following command: $ sudo cat /boot/grub/grub.conf | grep fips It the kernel output does not list "fips=1", this is a finding. If the kernel boot parameter is configured to use FIPS mode, Determine if the system is in FIPS mode with the following command: $ sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding. |
| Fix Text (F-57660r846759_fix) |
|---|
| Configure the system to run in FIPS mode by running the following command: $ sudo salt-call state.sls security/CVM/fipsCVM |