"Crypto Policy Definition Format" missing

Latest response


In order to improve the security on a RHEL 8.2 installation, I'm looking at some way to adjust the DEFAULT cryptographic policy.

According to the RHEL 8 Security Hardening guide (1) it is possible to create a module to customize that policy. Unfortunately, the reference for the details is to check the update-crypto-policies(8) man page, but the "Crypto Policy Definition Format" section doesn't exist.

My question is, how can I create a module to customize the cryptographic policy?

Especially I'm looking at a way to disable CBC ciphers in OpenSSH server (I'm aware that another solution exist (2), my preference would still be to customize the policy).

Thank you for your help.

1: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#customizing-system-wide-cryptographic-policies-with-policy-modifiers_using-the-system-wide-cryptographic-policies

2: https://access.redhat.com/solutions/4410591


With some more research and testing I found a solution that seems to be working fine:

  • Create a /etc/crypto-policies/policies/modules/SSH-NO-CBC.pmod file with the following content:
ssh_cipher = -AES-128-CBC -AES-256-CBC
  • Run the following command to apply the change to the policy:
sudo update-crypto-policies --set DEFAULT:SSH-NO-CBC

A warning message is issued, recommending to reboot the system right away.

Of course, this doesn't solve the issue about the missing section in the man page.