UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91565 AIX7-00-001108 SV-101663r1_rule Medium
Description
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. AIX must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. OpenSSL FIPS object module is a cryptographic module that is designed to meet the requirements for FIPS 140-2 validation by CMVP and is compatible with OpenSSL libraries. The 2.0.13 FIPS object module version has been FIPS validated and certified by CMVP for multiple AIX versions on Power 7 and Power 8 platforms under certificate #2398. IBM has released a FIPS capable OpenSSL (Fileset VRMF: 20.13.102.1000), which is OpenSSL 1.0.2j version with 2.0.13 object module. The fileset is available in Web Download Pack. Satisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2019-04-29

Details

Check Text ( C-90719r3_chk )
Run the following command to determine the version of OpenSSL that is installed:

# lslpp -l | grep -i openssl
openssl.base 20.13.704.1776 COMMITTED Open Secure Socket Layer

If the OpenSSL version is older than "20.13.102.1000", this is a finding.
Fix Text (F-97763r3_fix)
Use the following command to uninstall the old version of OpenSSL that is not FIPS 140-2 certified, then install OpenSSL VRMF 20.13.102.1000:
# smitty install