OpenControls Logo

STIG Viewer

Nutanix OS must implement DOD-approved encryption to protect the confidentiality of SSH sessions.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-279533NXAC-OS-000009SV-279533r1192035_ruleCCI-000068high
Description
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
STIGDate
Nutanix Acropolis GPOS Security Technical Implementation Guide2026-02-24

Details

Check Text (C-279533r1192035_chk)

Verify Nutanix implements DOD-approved encryption to protect the confidentiality of remote access sessions. 1. Verify FIPS mode is enabled using the following command. $ fips-mode-setup --check FIPS mode is enabled. 2. If FIPS mode is "enabled", check if the kernel boot parameter is configured for FIPS mode using the following command. $ grub2-editenv list | grep fips kernelopts=crashkernel=1G-4G:192M,4G-64G:256M,64G-4096G:512M,4096G-:1G nomodeset biosdevname=0 rhgb quiet intel_iommu=on iommu=pt fips=1 audit=1 split_lock_detect=off audit_backlog_limit=8192 net.ifnames=0 systemd.unified_cgroup_hierarchy=1 boot=/dev/disk/by-label/boot ahv.platform=onprem l1tf=flush,nowarn retbleed=off page_poison=0 slub_debug=- spec_rstack_overflow=microcode 3. If the kernel command line is configured to use FIPS mode, check if the system is in FIPS mode using the following command. $ sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "enabled", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.

Fix Text (F-83991r1191562_fix)

Configure the system to run in FIPS mode. 1. For AOS, configure FIPS mode. $ sudo salt-call state.sls security/CVM/fipsCVM 2. For Prism Central, configure FIPS mode. $ sudo salt-call state.sls security/PCVM/fipsPCVM 3. For Files, configure FIPS mode. $ sudo salt-call state.sls security/AFS/fipsAFS 4. For AHV, configure FIPS mode. $ sudo salt-call state.sls security/KVM/fipsKVM