AIX must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215216	AIX7-00-001108	SV-215216r853457_rule		Medium

Description
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. AIX must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. OpenSSL FIPS object module is a cryptographic module that is designed to meet the requirements for FIPS 140-2 validation by CMVP and is compatible with OpenSSL libraries. The 2.0.13 FIPS object module version has been FIPS validated and certified by CMVP for multiple AIX versions on Power 7 and Power 8 platforms under certificate #2398. IBM has released a FIPS capable OpenSSL (Fileset VRMF: 20.13.102.1000), which is OpenSSL 1.0.2j version with 2.0.13 object module. The fileset is available in Web Download Pack. Satisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176

Description

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. AIX must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. OpenSSL FIPS object module is a cryptographic module that is designed to meet the requirements for FIPS 140-2 validation by CMVP and is compatible with OpenSSL libraries. The 2.0.13 FIPS object module version has been FIPS validated and certified by CMVP for multiple AIX versions on Power 7 and Power 8 platforms under certificate #2398. IBM has released a FIPS capable OpenSSL (Fileset VRMF: 20.13.102.1000), which is OpenSSL 1.0.2j version with 2.0.13 object module. The fileset is available in Web Download Pack. Satisfies: SRG-OS-000120-GPOS-00061, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176

STIG	Date
IBM AIX 7.x Security Technical Implementation Guide	2023-08-23

Details

Check Text ( C-16414r294099_chk )
Run the following command to determine the version of OpenSSL that is installed: # lslpp -l \| grep -i openssl openssl.base 20.13.704.1776 COMMITTED Open Secure Socket Layer If the OpenSSL version is older than "20.13.102.1000", this is a finding.

Fix Text (F-16412r294100_fix)
Use the following command to uninstall the old version of OpenSSL that is not FIPS 140-2 certified, then install OpenSSL VRMF 20.13.102.1000: # smitty install