FIPS 140-3

In exciting news – TuxCare recently received a CMVP validated certificate for the AlmaLinux 9.2 kernel and is now on the NIST Active list (ahead of Red Hat & Oracle!), we are expecting our OpenSSL certificate soon too.

The userspace modules (libgcrypt, nss, gnutls) are on the MIP list but may take a few more months due to the CMVP backlog, which thanks to the new Interim Validation program, should be moving along a lot quicker –  indeed we weren’t expecting our kernel certificate for another couple of months.

Our FIPS 140-3 packages form part of our Extended Security Updates product – which includes updates to the FIPS packages (we recently did a V2 re-validation of the kernel to include a fix for various vulnerabilities including CVE-2024-1086 that made its way to CISA’s Known Exploited Vulnerabilities Catalog) as well as the ability to stay on a minor version of AlmaLinux for an extended period whilst still receiving security updates – no more 6 month lifecycle or choosing between security or compliance for your products or infrastructure!

FIPS validation, aside from the cryptography, also demonstrates that the vendor applies rigorous software testing, has invested in a mature development model and is committed to maintaining the security of the modules.

You don’t have to be working with the US government to benefit from FIPS 140-3 validated products – anyone looking to protect their data and the privacy of their customers should consider enabling “fips mode” on their servers, so you can be safe in the knowledge that the cryptography in use by your webserver, mailserver, remote access and so on have all been thoroughly tested. The validation process also ensures that the implementation of that crypto in software has been vetted and includes steps to prevent modification or running with unauthorised configurations.

DISA STIG

Our next bit of news – for a little over a year now, TuxCare has been working with DISA on writing a STIG for AlmaLinux OS 9 and it should be published by November, with Ansible/Chef/SCAP automation to follow shortly after. My own automation can be found here for people who want to try it out early – some of our customers have already participated in a pilot.

So what is a STIG you may ask? STIG stands for Security Technical Implementation Guide, it’s a set of secure configuration standards for using a product (operating system, hardware, software….) within the US Department of Defence and associated networks (DoDIN).

A cybersecurity framework like ISO 27001 would describe STIGs along the lines of “a set of IT security compliance requirements and technical controls to achieve them”.

The requirements are largely based on the ubiquitous NIST SP800-53. They have three severity categories, a cat-I could result in loss of life, cat-II could result in injury or loss of Confidentiality, Integrity or Availability (known in the infosec world as the CIA Triad) and finally cat-III could result in disaster recovery delays or loss of the ability to protect against the higher risk categories.

The use of FIPS cryptographic modules is mandatory with a STIG, as are some pretty hardcore policies like SmartCard authentication, CPU/RAM protection, LUKS full disk encryption, and the use of USBGuard – no more plugging your mobile phone into your work laptop!

Again, you don’t have to be part of the US government to find value in and use a STIG – it’s probably the highest level of security hardening guidance there is, covering practices like AAA, DLP, physical/logical access control and least-privilege; it’s freely-available and with various tools able to test STIG compliance, it could be the answer to all of your cybersecurity compliance needs.

CIS benchmarks

Finally, I’m proud to announce that the Center for Internet Security has released the v2.0.0 AlmaLinux OS 9 benchmark which was tested on 9.4, is supported by the latest version of CIS-CAT Pro and will be available as a Build Kit later this month.

I’ve updated my Ansible/libvirt automation which also includes support for the AlmaLinux OS 8 v3.0.0 benchmark.

The main updates are based on the changes backported from the latest AlmaLinux OS 8 and Debian 12 benchmarks, to simplify the guidance around system-wide-crypto policies, kernel module unloading and removing packages vs masking services. Similar changes will make it into the upcoming Ubuntu 24.04 benchmark.

TuxCare staff donate their time and expertise to the development and testing of the CIS benchmarks and we work with various security product vendors to ensure that compliance scanning of the Linux distro’s we support is kept up-to-date. Many of our customers use the CIS benchmarks for their internal security baselines or for products that don’t require compliance to US Government legislation.

Contact us today to talk about your cybersecurity needs!

The post Securing the Future: FIPS 140-3 Validation and the DISA STIG for AlmaLinux OS appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by TuxCare Team. Read the original post at: https://tuxcare.com/blog/securing-the-future-fips-140-3-validation-and-the-disa-stig-for-almalinux-os/