"Crypto Policy Definition Format" missing

Latest response

Hi,

In order to improve the security on a RHEL 8.2 installation, I'm looking at some way to adjust the DEFAULT cryptographic policy.

According to the RHEL 8 Security Hardening guide (1) it is possible to create a module to customize that policy. Unfortunately, the reference for the details is to check the update-crypto-policies(8) man page, but the "Crypto Policy Definition Format" section doesn't exist.

My question is, how can I create a module to customize the cryptographic policy?

Especially I'm looking at a way to disable CBC ciphers in OpenSSH server (I'm aware that another solution exist (2), my preference would still be to customize the policy).

Thank you for your help.

1: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-policy-modifiers_using-the-system-wide-cryptographic-policies

2: https://access.redhat.com/solutions/4410591

Responses

With some more research and testing I found a solution that seems to be working fine:

  • Create a /etc/crypto-policies/policies/modules/SSH-NO-CBC.pmod file with the following content:
ssh_cipher = -AES-128-CBC -AES-256-CBC
  • Run the following command to apply the change to the policy:
sudo update-crypto-policies --set DEFAULT:SSH-NO-CBC

A warning message is issued, recommending to reboot the system right away.

Of course, this doesn't solve the issue about the missing section in the man page.

Hi Xavier,

Thank you for reporting a bug in the crypto-policies documentation. The Crypto Policy Definition Format section is in the crypto-policies(7) man page. I will fix and republish the corresponding section ASAP.

Regarding the procedure for creating a custom policy modifier (file) - your steps are about the same as those in the Customizing system-wide cryptographic policies with policy modifiers section you referenced in your initial post.

Formerly, I suggested to use two printf commands to create and fill two example .pmod files but my colleagues recommended me rather just list the content of those files using cat. I am considering to replace this step with two separate steps (touch *.pmod and vi/nano/... *.pmod) to make it clearer.

Could you please check the improved section [1] and let me know if you consider it clear and correct? Thank you.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-policy-modifiers_using-the-system-wide-cryptographic-policies

Yes that is pretty clear, thank you very much for the update.

Thank you for the constructive thread that helped improve the documentation.