Details

The operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.

Rationale:

File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

Solution

Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents.
If AIDE is installed, ensure the sha512 rule is present on all uncommented file and directory selection lists.
Example: vim /etc/aide.conf
add a rule that includes the sha512 example:

All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
/bin All # apply the custom rule to the files in bin
/sbin All # apply the same custom rule to the files in sbin

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3636

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-6b.
• CCI|CCI-000366
• CSCv6|2.2
• CSCv7|14.6
• Rule-ID|SV-204500r603261_rule
• STIG-ID|RHEL-07-021620

Source

• Tenable.com/audits