AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269126	SRG-OS-000033-GPOS-00014	ALMA-09-004320	SV-269126r1050008_rule	2025-02-20	1

Description
FIPS 140-3 validated packages are available from TuxCare. The original community packages must be replaced with the versions that have gone through the CMVP. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000125-GPOS-00065

ℹ️ Check
Verify that AlmaLinux OS 9 is using the TuxCare FIPS packages with the following command: $ rpm -qa \| grep -E '^(gnutls\|nettle\|nss\|openssl\|libgcrypt\|kernel)-[0-9]+' \| grep -v tuxcare If the command returns anything, this is a finding.

✔️ Fix
Ensure FIPS-validated packages are in use instead of OS defaults using the following commands: $ dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5 gnutls-3.7.6-23.el9_2.tuxcare.3 nettle-3.8-3.el9_2.tuxcare.1 libgcrypt-1.10.0-10.el9_2.tuxcare.3 nss-3.90.0-6.el9_2.tuxcare.1 $ dnf -y upgrade $ grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.5.$(uname -i) $ reboot After rebooting into a FIPS kernel, remove the OS default kernel packages, using for example: $ dnf remove kernel-5.14.0-284.11.1.el9_2.x86_64 kernel-5.14.0-284.30.1.el9_2.x86_64 $ dnf autoremove

✔️ Fix

Ensure FIPS-validated packages are in use instead of OS defaults using the following commands: $ dnf -y install openssl-3.0.7-20.el9_2.tuxcare.1 kernel-5.14.0-284.11.1.el9_2.tuxcare.5 gnutls-3.7.6-23.el9_2.tuxcare.3 nettle-3.8-3.el9_2.tuxcare.1 libgcrypt-1.10.0-10.el9_2.tuxcare.3 nss-3.90.0-6.el9_2.tuxcare.1 $ dnf -y upgrade $ grubby --set-default=/boot/vmlinuz-5.14.0-284.11.1.el9_2.tuxcare.5.$(uname -i) $ reboot After rebooting into a FIPS kernel, remove the OS default kernel packages, using for example: $ dnf remove kernel-5.14.0-284.11.1.el9_2.x86_64 kernel-5.14.0-284.30.1.el9_2.x86_64 $ dnf autoremove