Configure System Cryptography Policy

Classification:

compliance

Framework:

Control:

Description

To configure the system cryptography policy to use ciphers only from the DEFAULT policy, run the following command:

$ sudo update-crypto-policies --set DEFAULT

The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.

Rationale

Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

var\_system\_crypto\_policy='DEFAULT'


stderr\_of\_call=$(update-crypto-policies --set ${var\_system\_crypto\_policy} 2>&1 > /dev/null)
rc=$?

if test "$rc" = 127; then
 echo "$stderr\_of\_call" >&2
 echo "Make sure that the script is installed on the remediated system." >&2
 echo "See output of the 'dnf provides update-crypto-policies' command" >&2
 echo "to see what package to (re)install" >&2

 false # end with an error code
elif test "$rc" != 0; then
 echo "Error invoking the update-crypto-policies script: $stderr\_of\_call" >&2
 false # end with an error code
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_system\_crypto\_policy # promote to variable
 set\_fact:
 var\_system\_crypto\_policy: !!str DEFAULT
 tags:
 - always

- name: Configure System Cryptography Policy
 lineinfile:
 path: /etc/crypto-policies/config
 regexp: ^(?!#)(\S+)$
 line: '{{ var\_system\_crypto\_policy }}'
 create: true
 tags:
 - CCE-80935-0
 - DISA-STIG-RHEL-08-010020
 - NIST-800-53-AC-17(2)
 - NIST-800-53-AC-17(a)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-MA-4(6)
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - configure\_crypto\_policy
 - high\_severity
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - restrict\_strategy

- name: Verify that Crypto Policy is Set (runtime)
 command: /usr/bin/update-crypto-policies --set {{ var\_system\_crypto\_policy }}
 tags:
 - CCE-80935-0
 - DISA-STIG-RHEL-08-010020
 - NIST-800-53-AC-17(2)
 - NIST-800-53-AC-17(a)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-MA-4(6)
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - configure\_crypto\_policy
 - high\_severity
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - restrict\_strategy

Warning

The system needs to be rebooted for these changes to take effect.