{"description": "Create a custom cryptographic policy to follow the guidance from DISA.", "rationale": "To follow STIG policy.", "severity": "medium", "references": {"srg": ["SRG-OS-000396-GPOS-00176", "SRG-OS-000393-GPOS-00173", "SRG-OS-000394-GPOS-00174"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the STIG subpolicy does not exist", "ocil": "Verify that <tt>/etc/crypto-policies/policies/modules/STIG.pmod</tt> exists and has the following content:\n<pre>\ncipher@SSH=AES-256-GCM AES-256-CTR AES-128-GCM AES-128-CTR\nmac@SSH=HMAC-SHA2-512 HMAC-SHA2-256\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement a FIPS 140-3-compliant systemwide cryptographic policy.", "vuldiscussion": "Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.", "checktext": "Verify Ubuntu 22.04 is set to use a FIPS 140-3-compliant systemwide cryptographic policy with the following command:\n\n$ update-crypto-policies --show\n\nFIPS\n\nIf the systemwide crypto policy is not set to \"FIPS\", this is a finding.\n\nNote: If subpolicies have been configured, they could be listed in a colon-separated list starting with \"FIPS\" as follows FIPS:<SUBPOLICY-NAME>. This is not a finding.\n\nNote: Subpolicies like AD-SUPPORT must be configured according to the latest guidance from the operating system vendor.\n\nVerify the current minimum crypto-policy configuration with the following commands:\n\n$ grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol\n\nhash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256\nmin_rsa_size = 2048\n\nIf the \"hash\" values do not include at least the following FIPS 140-3-compliant algorithms \"SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256\", this is a finding.\n\nIf there are algorithms that include \"SHA1\" or a hash value less than \"224\" this is a finding.\n\nIf the \"min_rsa_size\" is not set to a value of at least \"2048\", this is a finding.\n\nIf these commands do not return any output, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to use a FIPS 140-3-compliant systemwide cryptographic policy.\n\nCreate a subpolicy for enhancements to the base systemwide crypto-policy by creating the file /etc/crypto-policies/policies/modules/STIG.pmod with the following content:\n\n# Define ciphers and MACs for OpenSSH and libssh\ncipher@SSH=AES-256-GCM AES-256-CTR AES-128-GCM AES-128-CTR\nmac@SSH=HMAC-SHA2-512 HMAC-SHA2-256\n\nApply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command:\n\n$ sudo update-crypto-policies --set FIPS:STIG\n\nNote: If additional subpolicies are being employed, they must be added to the update-crypto-policies command.\n\nTo make the cryptographic settings effective for already running services and applications, restart the system:\n\n$ sudo reboot"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Implement STIG Sub Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml", "template": null}