1.11 Ensure system-wide crypto policy is FUTURE or FIPS


The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package. If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457 FUTURE: Is a conservative security level that is believed to withstand any near-term future attacks. This level does not allow the use of SHA-1 in signature algorithms. The RSA and Diffie-Hellman parameters are accepted if larger than 3071 bits. The level provides at least 128-bit security FIPS: Conforms to the FIPS 140-2 requirements. This policy is used internally by the fips- mode-setup(8) tool which can switch the system into the FIPS 140-2 compliance mode. The level provides at least 112-bit security


Run the following command to change the system-wide crypto policy # update-crypto-policies --set FUTURE OR To switch the system to FIPS mode, run the following command: # fips-mode-setup --enable The system-wide cryptographic policy in Red Hat Enterprise Linux 8 does not allow communication using older, insecure protocols. For environments that require to be compatible with Oracle Linux 5 and in some cases also with earlier releases, the less secure LEGACY policy level is available.

See Also


Item Details


References: 800-53|SC-8, CSCv7|14.4

Plugin: Unix

Control ID: e34649c5551ff57018dfaa1cd1a80fed044064e00bc997714b8bc4a69be56fd0