We use STIG in FEDRAMP and we see this control fail w.r.t FIPS 140-2
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out:
Not if I understand anything about FedRAMP or government-mandated security controls in general. (Disclaimer: I’ve never done any of these regulated environments myself, so everything I “know” is either second-hand or half remembered from documentation.)
Unless your system was configured with a FIPS-compatible security profile from the beginning, or explicitly set into one, you’re probably not compliant. man crypto-policies and man fips-mode-setup should point you in the right direction.
We have enabled Fips successful in our systems
fips-mode-setup --check
FIPS mode is enabled
RockyLinux lacks a STIG profile, hence the report uses the Redhat-8 profile instead.
Additionally, several controls fail in relation to FIPS 140-2, although Rocky Linux 8 complies with FIPS 140-3.
So do we apply these controls or treat them as false positives.
Well FIPS 140-3 supersedes FIPS 140-2… exactly how that applies to your specific security case, I don’t know. Who in your organization is setting the standards, verifying compliance, etc.?
In my opinion, you should be discussing this with your information security team and/or auditors. Anything related to “false positives” or applying a security configuration or having a system fall under some sort of compliance is a discussion between yourself and information security professionals whom you work with.