content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

crypto-policies expects "DEFAULT" yet CIS Benchmark says "not LEGACY"

Open gmisura opened this issue 5 months ago • 3 comments

Description of problem:

I hardened my AL2023 instance, including enabling FIPS and then ran the openSCAP audit. The audit says I failed the "Configure System Cryptography Policy" because /etc/crypto-policies/config is not "DEFAULT" (or DEFAULT:NO-SHA1). It's set to "FIPS".

The CIS Benchmark clearly says that the expected value is "Not LEGACY". It doesn't expect it to be "DEFAULT" so I'm not sure why the check is looking for "DEFAULT".

SCAP Security Guide Version:

0.1.77

Operating System Version:

AL2023

Steps to Reproduce:

  1. Harden AL2023
  2. Enable FIPS
  3. Run audit: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_server_l1 --report ec2-al2023_oscap-ssg-report_2025-07-23-01-01-06.html scap-security-guide-0.1.77/ssg-al2023-ds.xml

Actual Results:

Failed "Configure System Cryptography Policy"

Expected Results:

Pass "Configure System Cryptography Policy"

Additional Information/Debugging Steps:

CIS_Amazon_linux_2023_Benchmark_v1.0.0.pdf

1.9 Ensure system-wide crypto policy is not legacy (Automated) Profile Applicability: • Level 1 - Server Description: The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies(7) package. Rationale: If the Legacy system-wide crypto policy is selected, it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits. These legacy protocols and algorithms can make the system vulnerable to attacks, including those listed in RFC 7457 Impact: Environments that require compatibility with older insecure protocols may require the use of the less secure LEGACY policy level. Audit: Run the following command to verify that the system-wide crypto policy is not LEGACY

grep -E -i '^\sLEGACY\s(\s+#.*)?$' /etc/crypto-policies/config

Verify that no lines are returned Remediation: Run the following command to change the system-wide crypto policy

update-crypto-policies --set <CRYPTO POLICY>

Example:

update-crypto-policies --set DEFAULT

Run the following to make the updated system-wide crypto policy active

update-crypto-policies

Default Value: DEFAULT Page 196 References:

  1. CRYPTO-POLICIES(7)
  2. https://access.redhat.com/articles/3642912#what-polices-are-provided-1
  3. NIST SP 800-53 Rev. 5: SC-8 Additional Information: To switch the system to FIPS mode, run the following command: fips-mode-setup --enable CIS Controls: Controls Version Control IG 1 IG 2 IG 3 v8 3.10 Encrypt Sensitive Data in Transit Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). ● ● v7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. ●

gmisura avatar Jul 23 '25 22:07 gmisura

This is expected. If you want to use the FIPS crypto policy you should tailor the variable var_system_crypto_policy to fips.

Mab879 avatar Jul 24 '25 20:07 Mab879

I would expect the check to verify the result was not LEGACY per the benchmark.

gmisura avatar Jul 25 '25 02:07 gmisura

I was able to create a tailor-ing file and override the var_system_crypto_policy to FIPS so now my audit passes that check.

I still think the check should be != "LEGACY", the grep is right in the benchmark: grep -E -i '^\sLEGACY\s(\s+#.*)?$' /etc/crypto-policies/config

or should be:

grep -qE '^(DEFAULT|FUTURE|FIPS)$'

The fact that the benchmark also says fips-mode-setup --enable means it is telling you to enable FIPS so the CIS Level 1 / 2 profiles are expecting FIPS, not DEFAULT.

gmisura avatar Jul 28 '25 18:07 gmisura