1.10 Ensure system-wide crypto policy is not legacy

Information

The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide.

The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package.

Rationale:

If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits.

These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457

Impact:

Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level.

Solution

Run the following command to change the system-wide crypto policy

# update-crypto-policies --set <CRYPTO POLICY>

Example:

# update-crypto-policies --set DEFAULT

Run the following to make the updated system-wide crypto policy active

# update-crypto-policies

Default Value:

DEFAULT

See Also

https://workbench.cisecurity.org/files/3939

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 616361d7cd9fff60f6e8039246b9ffc1538eb2d0e256ebed181f4d3fc695270a