{"results":[{"id":"fips-crypto-policy-sufficient","text":"Setting the FIPS system-wide crypto policy is sufficient to achieve FIPS 140 compliance on RHEL 9.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ktls-enable-modprobe-tls","text":"kTLS (kernel TLS) is enabled by loading the `tls` kernel module (`modprobe tls`) and setting `ktls = true` in a gnutls crypto-policy local.d file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ktls-production-tls-offload","text":"Kernel TLS (kTLS) is production-ready for TLS offload on RHEL 9, providing kernel-level cryptographic acceleration that operates within the system-wide crypto policy framework.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-all-crypto-policies-disable-weak","text":"All four predefined crypto policies disable IKEv1, 3DES, RC4, DSA, and TLS v1.1 and older.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-automatable-defense-in-depth","text":"RHEL 9 defense-in-depth security (SELinux enforcing, firewalld, crypto policies, granular audit) is fully automatable at fleet scale through Ansible system roles and SELinux deployment automation (semanage export/import, fixfiles autorelabel, Ansible roles), enabling consistent security posture across hundreds of hosts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-closed-loop-fleet-security-operations","text":"RHEL 9 enables closed-loop fleet security operations where defense-in-depth configuration (SELinux, firewalld, crypto, audit) is automatable via Ansible system roles while continuously verifiable through audit logging, AIDE integrity monitoring, and OpenSCAP compliance scanning.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-comprehensive-security-posture","text":"RHEL 9 provides a comprehensive security posture integrating defense-in-depth hardened defaults (SELinux, firewalld, crypto policies, audit), continuous compliance monitoring (audit logging, AIDE integrity, OpenSCAP scanning), and layered authentication hardening (pam_faillock, password aging, SSH key-based auth) into a unified security architecture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-crypto-default-min-key-2048","text":"The DEFAULT and LEGACY crypto policies require minimum 2048-bit RSA/DH keys; FUTURE requires minimum 3072-bit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-crypto-policy-command-set","text":"The command `update-crypto-policies --set POLICY` changes the system-wide cryptographic policy and requires root privileges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-crypto-policy-command-show","text":"The command `update-crypto-policies --show` displays the current system-wide cryptographic policy on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-crypto-policy-lifecycle","text":"RHEL 9 provides complete crypto policy lifecycle management: four predefined policies, set/show CLI commands, persistent state file verification, and extensibility via custom .pmod subpolicies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-crypto-reboot-recommended","text":"A reboot is recommended after changing the system-wide cryptographic policy for full effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-crypto-scoped-directives-at-syntax","text":"Scoped cryptographic policy directives use `@` syntax to restrict settings to specific protocols or libraries (e.g., `cipher@TLS`, `group@SSH`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-current-crypto-policy-state-file","text":"The current effective cryptographic policy can be verified at `/etc/crypto-policies/state/CURRENT.pol`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-custom-subpolicy-pmod-location","text":"Custom cryptographic subpolicy files use the `.pmod` extension with uppercase filenames and are stored in `/etc/crypto-policies/policies/modules/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-default-policy-tls12-minimum","text":"The DEFAULT crypto policy enforces TLS 1.2 as the minimum TLS version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-defense-in-depth-container-isolation","text":"RHEL 9 containers operate within a defense-in-depth security stack where per-container MCS categories (assigned by container-selinux) provide inter-container isolation, layered on top of SELinux type enforcement, firewalld network controls, system-wide crypto policies, and continuous audit logging — meaning container breakout must defeat not just the container boundary but every surrounding security layer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-defense-in-depth-security-framework","text":"RHEL 9 enforces defense-in-depth through four integrated security layers: hardened defaults (SELinux enforcing, firewalld, crypto policies), granular cryptographic policy lifecycle management, layered SELinux MAC enforcement with type-based policy, and a unified audit subsystem with original-identity tracking across privilege escalation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dual-authenticated-identity-governed-workload-lifecycle","text":"RHEL 9 workloads are governed across their full lifecycle by dual authentication (subscription for content access, Kerberos for administration) with continuous observability, from identity-authenticated provisioning (IdM/AD-enrolled systems with DNS autodiscovery) through security-governed runtime isolation (SELinux MCS, firewalld, crypto policies) — creating a closed system where no workload phase is unauthenticated, ungoverned, or unobserved.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-encrypted-storage-lifecycle","text":"RHEL 9 provides end-to-end encrypted storage lifecycle management: NBDE with Clevis/Tang for automated decryption across multiple pin types, volume-type-specific unlock requirements (dracut for root, systemd for non-root), and system-wide cryptographic policy governance ensuring encryption algorithms comply with organizational standards.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":40,"limit":20,"offset":0}