1.10 Ensure system-wide crypto policy is not legacy
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package. If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457Solution
Run the following command to change the system-wide crypto policy # update-crypto-policies --set <CRYPTO POLICY> Example: # update-crypto-policies --set DEFAULT Run the following to make the updated system-wide crypto policy active # update-crypto-policies The default system-wide cryptographic policy in Oracle Linux 8 does not allow communication using older, insecure protocols. For environments that require to be compatible with Oracle Linux 5 and in some cases also with earlier releases, the less secure LEGACY policy level is available. To switch the system to FIPS mode, run the following command: fips-mode-setup --enableSee Also
Item Details
Audit Name: CIS Fedora 28 Family Linux Server L1 v1.0.0
References: CSCv7|14.4
Plugin: Unix
Control ID: bc4adad52348d4701d883763b2963a30d06dddb1812767172904cb226e7795b4