- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
includes the appropriate configuration file.
In /etc/ipsec.conf
, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.
The following script can be run on the host to remediate the issue.
#!/bin/bash
function remediate_libreswan_crypto_policy() {
CONFIG_FILE="/etc/ipsec.conf"
if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then
# the file might not end with a new line
echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE"
fi
return 0
}
remediate_libreswan_crypto_policy
The following playbook can be run with Ansible to remediate the issue.
- name: Configure Libreswan to use System Crypto Policy
lineinfile:
path: /etc/ipsec.conf
line: include /etc/crypto-policies/back-ends/libreswan.config
create: true
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_libreswan_crypto_policy
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- restrict_strategy