V-279533

Discussion

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.

Check Content

Verify Nutanix implements DOD-approved encryption to protect the confidentiality of remote access sessions.

1. Verify FIPS mode is enabled using the following command.

$ fips-mode-setup --check
FIPS mode is enabled.

2. If FIPS mode is "enabled", check if the kernel boot parameter is configured for FIPS mode using the following command.

$ grub2-editenv list | grep fips
kernelopts=crashkernel=1G-4G:192M,4G-64G:256M,64G-4096G:512M,4096G-:1G nomodeset biosdevname=0 rhgb quiet intel_iommu=on iommu=pt fips=1 audit=1 split_lock_detect=off audit_backlog_limit=8192 net.ifnames=0 systemd.unified_cgroup_hierarchy=1 boot=/dev/disk/by-label/boot ahv.platform=onprem l1tf=flush,nowarn retbleed=off page_poison=0 slub_debug=- spec_rstack_overflow=microcode

3. If the kernel command line is configured to use FIPS mode, check if the system is in FIPS mode using the following command.

$ sudo cat /proc/sys/crypto/fips_enabled 
1

If FIPS mode is not "enabled", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.