RHEL 9 must enable FIPS mode.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-258230	SRG-OS-000033-GPOS-00014	RHEL-09-671010	SV-258230r1155585_rule	2025-11-24	2

Description
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223

Description

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223

ℹ️ Check
Verify RHEL 9 is in FIPS mode with the following command: $ sudo fips-mode-setup --check FIPS mode is enabled. If FIPS mode is not enabled, this is a finding. If any other lines are returned by the above command, run the following command to see the currently applied crypto-policy: $ update-crypto-policies --show FIPS If the policy is not "FIPS" or a FIPS policy authorized by and documented with the ISSO, this is a finding.

ℹ️ Check

Verify RHEL 9 is in FIPS mode with the following command: $ sudo fips-mode-setup --check FIPS mode is enabled. If FIPS mode is not enabled, this is a finding. If any other lines are returned by the above command, run the following command to see the currently applied crypto-policy: $ update-crypto-policies --show FIPS If the policy is not "FIPS" or a FIPS policy authorized by and documented with the ISSO, this is a finding.

✔️ Fix
Configure the operating system to implement FIPS mode with the following command $ sudo fips-mode-setup --enable To ensure the kernel enables FIPS mode for early boot, "fips=1" must be added to the grub config: $ sudo grubby --update-kernel=ALL --args="fips=1" Verify the setting with the following command: $ cat /proc/cmdline BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-570.21.1.el9_6.x86_64 root=/dev/mapper/rhel-root ro resume=/dev/mapper/rhel-swap rd.luks.uuid=luks-cd37eb8d-a2c3-4671-96ee-1e6a3a681561 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=acbbb4ee-adc0-4cb2-9546-afab857b8849 audit_backlog_limit=8192 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M Reboot the system for the changes to take effect.

✔️ Fix

Configure the operating system to implement FIPS mode with the following command $ sudo fips-mode-setup --enable To ensure the kernel enables FIPS mode for early boot, "fips=1" must be added to the grub config: $ sudo grubby --update-kernel=ALL --args="fips=1" Verify the setting with the following command: $ cat /proc/cmdline BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-570.21.1.el9_6.x86_64 root=/dev/mapper/rhel-root ro resume=/dev/mapper/rhel-swap rd.luks.uuid=luks-cd37eb8d-a2c3-4671-96ee-1e6a3a681561 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=acbbb4ee-adc0-4cb2-9546-afab857b8849 audit_backlog_limit=8192 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M Reboot the system for the changes to take effect.