OpenControls Logo

STIG Viewer

RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-280979RHEL-10-200632SV-280979r1165292_ruleCCI-002475medium
Description
RHEL 10 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory. File integrity tools use cryptographic hashes for verifying that file contents and directories have not been altered. These hashes must be FIPS 140-3-approved cryptographic hashes.
STIGDate
Red Hat Enterprise Linux 10 Security Technical Implementation Guide2026-03-11

Details

Check Text (C-280979r1165292_chk)

Verify RHEL 10 AIDE is configured to use FIPS 140-3 file hashing. Verify global default hash settings with the following command: $ sudo grep -iE 'sha|md5|rmd' /etc/aide.conf | grep -v ^# FIPSR = p+i+n+u+g+s+m+ftype+growing+acl+selinux+xattrs+sha512 ALLXTRAHASHES = sha512 /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 NORMAL = FIPSR+sha512 LSPP = FIPSR+sha512 DATAONLY = R+sha512 /etc/gshadow NORMAL /etc/shadow NORMAL If any hashes other than "sha512" are present, this is a finding. Confirm no legacy hashes exist with the following command: $ sudo grep -iE 'md5|sha1|whirlpool|tiger' /etc/aide.conf | grep -v ^# If any uncommented lines are returned, this is a finding.

Fix Text (F-85445r1165291_fix)

Configure RHEL 10 so that the file integrity tool uses FIPS 140-3 cryptographic hashes for validating file and directory contents. If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists, and that no legacy hashes exist. By default, AIDE excludes log files such as "/var/log" and other volatile files to reduce unnecessary notifications.