{"description": "To enable FIPS on system that support the Advanced Encryption Standard (AES) or New\nInstructions (AES-NI) engine, the system requires that the <tt>dracut-fips-aesni</tt>\npackage be installed.\nThe <code>dracut-fips-aesni</code> package can be installed with the following command:\n<pre>\n$ apt-get install dracut-fips-aesni</pre>", "rationale": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "severity": "medium", "references": {"cis-csc": ["12", "15", "8"], "cjis": ["5.10.1.2"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.02", "DSS05.03"], "cui": ["3.13.11", "3.13.8"], "isa-62443-2009": ["4.3.3.6.6"], "isa-62443-2013": ["SR 1.13", "SR 2.6", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.6.2.1", "A.6.2.2"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-12(2)", "SC-12(3)", "IA-7", "SC-13", "CM-6(a)", "SC-12"], "nist-csf": ["PR.AC-3", "PR.PT-4"], "srg": ["SRG-OS-000033-GPOS-00014", "SRG-OS-000396-GPOS-00176", "SRG-OS-000478-GPOS-00223"], "anssi": ["R1"]}, "control_references": {"anssi": ["R1"]}, "components": [], "identifiers": {}, "ocil_clause": "the package is not installed", "ocil": " Run the following command to determine if the <code>dracut-fips-aesni</code> package is installed: <pre>$ dpkg -l  dracut-fips-aesni</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "The system needs to be rebooted for these changes to take effect."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel and not osbuild", "platforms": ["system_with_kernel and not osbuild"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["not_osbuild_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Install the dracut-fips-aesni Package", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml", "template": null}