{"description": "On a system where FIPS 140-2 mode is enabled, <tt>/proc/sys/crypto/fips_enabled</tt> must exist.\nTo verify FIPS mode, run the following command:\n<pre>cat /proc/sys/crypto/fips_enabled</pre>", "rationale": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "severity": "high", "references": {"nist": ["SC-12(2)", "SC-12(3)", "SC-13"], "srg": ["SRG-OS-000396-GPOS-00176", "SRG-OS-000478-GPOS-00223"], "stigid": ["UBTU-22-671010"], "stigref": ["SV-260650r987791_rule"]}, "control_references": {"stigid": ["UBTU-22-671010"]}, "components": [], "identifiers": {}, "ocil_clause": "the command 'cat /proc/sys/crypto/fips_enabled' returns nothing or '0' or the file does not exist", "ocil": "To verify <tt>/proc/sys/crypto/fips_enabled</tt> exists, run the following command:\n<pre>cat /proc/sys/crypto/fips_enabled</pre>\nThe output should be:\n<pre>1</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "To configure the OS to run in FIPS 140-2 mode, the kernel parameter \"fips=1\" needs to be added during its installation.\nEnabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation\nguidances."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel and not osbuild", "platforms": ["system_with_kernel and not osbuild"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["not_osbuild_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify '/proc/sys/crypto/fips_enabled' exists", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml", "template": null}