1.6.1 Ensure system wide crypto policy is not set to legacy

Information

When a system-wide policy is set up, the default behavior of applications will be to follow the policy. Applications will be unable to use algorithms andprotocols that do not meet the policy, unless you explicitly request the application to do so.

The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide.

The LEGACY policy ensures maximum compatibility with version 5 of the operating system and earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT level algorithms and protocols, it includes support for the TLS 1.0 and 1.1 protocols. The algorithms DSA 3DES and RC4 are allowed, while RSA keys and Diffie-Hellman parameters are accepted if they are at least 1023 bits long.

If the LEGACY system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits.

These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457

Solution

Run the following command to change the system-wide crypto policy

# update-crypto-policies --set <CRYPTO POLICY>

Example:

# update-crypto-policies --set DEFAULT

Run the following to make the updated system-wide crypto policy active

# update-crypto-policies

Impact:

Environments that require compatibility with older insecure protocols may require the useof the less secure LEGACY policy level.

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 88bcc2ca2524e6069359a6a2156537271a11f98aae3a30c07559aad36eecf07c