Configure Libreswan to use System Crypto Policy

Docs > Datadog Security > OOTB Rules > Configure Libreswan to use System Crypto Policy

Classification:

compliance

Framework:

Control:

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it.

To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config

Rationale

Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

function remediate\_libreswan\_crypto\_policy() {
 CONFIG\_FILE="/etc/ipsec.conf"
 if ! grep -qP "^\s\*include\s+/etc/crypto-policies/back-ends/libreswan.config\s\*(?:#.\*)?$" "$CONFIG\_FILE" ; then
 # the file might not end with a new line
 echo -e '\ninclude /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG\_FILE"
 fi
 return 0
}

remediate\_libreswan\_crypto\_policy

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Configure Libreswan to use System Crypto Policy
 lineinfile:
 path: /etc/ipsec.conf
 line: include /etc/crypto-policies/back-ends/libreswan.config
 create: true
 tags:
 - NIST-800-53-CM-6(a)
 - NIST-800-53-MA-4(6)
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - PCI-DSS-Req-2.2
 - configure\_libreswan\_crypto\_policy
 - high\_severity
 - low\_complexity
 - low\_disruption
 - no\_reboot\_needed
 - restrict\_strategy