- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf
.
This file has the ini
format, and it enables crypto policy support
if there is a [ crypto_policy ]
section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config
directive.
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.
The following script can be run on the host to remediate the issue.
#!/bin/bash
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
function remediate_openssl_crypto_policy() {
CONFIG_FILE=/etc/pki/tls/openssl.cnf
if test -f "$CONFIG_FILE"; then
if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then
printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE"
return 0
elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then
sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE"
return 0
fi
else
echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
return 1
fi
}
remediate_openssl_crypto_policy
The following playbook can be run with Ansible to remediate the issue.
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section
ansible.builtin.find:
paths: /etc/pki/tls
patterns: openssl.cnf
contains: ^\s*\[\s*crypto_policy\s*]
register: test_crypto_policy_group
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Search for crypto_policy
Section Together With .include Directive
ansible.builtin.find:
paths: /etc/pki/tls
patterns: openssl.cnf
contains: ^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$
register: test_crypto_policy_include_directive
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Add .include Line
for opensslcnf.config File in crypto_policy Section
ansible.builtin.lineinfile:
create: true
insertafter: ^\s*\[\s*crypto_policy\s*]\s*
line: .include /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.matched > 0
- test_crypto_policy_include_directive.matched == 0
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy
- name: Configure OpenSSL library to use System Crypto Policy - Add crypto_policy
Section With .include for opensslcnf.config File
ansible.builtin.lineinfile:
create: true
line: |-
[crypto_policy]
.include /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when: test_crypto_policy_group.matched == 0
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure_openssl_crypto_policy
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- unknown_strategy