{"description": "To configure the system cryptography policy to use ciphers only from the <tt><sub idref=\"var_system_crypto_policy\" /></tt>\npolicy, run the following command:\n<pre>$ sudo update-crypto-policies --set <sub idref=\"var_system_crypto_policy\" /></pre>\nThe rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <tt>/etc/crypto-policies/back-ends</tt> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.\nCrypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.", "rationale": "Centralized cryptographic policies simplify applying secure ciphers across an operating system and\nthe applications that run on that operating system. Use of weak or untested encryption algorithms\nundermines the purposes of utilizing encryption to protect data.", "severity": "high", "references": {"hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1", "CIP-007-3 R7.1"], "nist": ["AC-17(a)", "AC-17(2)", "CM-6(a)", "MA-4(6)", "SC-13", "SC-12(2)", "SC-12(3)"], "ospp": ["FCS_COP.1(1)", "FCS_COP.1(2)", "FCS_COP.1(3)", "FCS_COP.1(4)", "FCS_CKM.1", "FCS_CKM.2", "FCS_TLSC_EXT.1"], "srg": ["SRG-OS-000396-GPOS-00176", "SRG-OS-000393-GPOS-00173", "SRG-OS-000394-GPOS-00174"], "ism": ["1446"], "pcidss4": ["2.2.7", "2.2"]}, "control_references": {"ism": ["1446"], "pcidss4": ["2.2.7", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "cryptographic policy is not configured or is configured incorrectly", "ocil": "To verify that cryptography policy has been configured correctly, run the\nfollowing command:\n<pre>$ update-crypto-policies --show</pre>\nThe output should return <pre><sub idref=\"var_system_crypto_policy\" /></pre>.\nRun the command to check if the policy is correctly applied:\n<pre>$ update-crypto-policies --is-applied</pre>\nThe output should be <pre>The configured policy is applied</pre>.\nMoreover, check if settings for selected crypto policy are as expected.\nList all libraries for which it holds that their crypto policies do not have symbolic link in <pre>/etc/crypto-policies/back-ends</pre>.\n<pre>$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort</pre>\nSubsequently, check if matching libraries have drop in files in the <pre>/etc/crypto-policies/local.d</pre> directory.\n<pre>$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort</pre>\nOutputs of two previous commands should match.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use system cryptography policy.\nRun the following command:\n\n$ sudo update-crypto-policies --set <sub idref=\"var_system_crypto_policy\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use <sub idref=\"var_system_crypto_policy\" /> for the system cryptography policy.", "warnings": [{"general": "The system needs to be rebooted for these changes to take effect."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement a FIPS 140-3 compliant systemwide cryptographic policy.", "vuldiscussion": "Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.", "checktext": "Verify that Ubuntu 22.04 is set to use a FIPS 140-3 compliant systemwide cryptographic policy.\n\n$ update-crypto-policies --show\n\nFIPS\n\nIf the systemwide crypto policy is not set to \"FIPS\", this is a finding.\n\nInspect the contents of the REQUIRE.pmod file (if it exists) to ensure that only authorized modifications to the current policy are included with the following command:\n\n$ cat /etc/crypto-policies/policies/modules/REQUIRE.pmod\n\nNote: If subpolicies have been configured, they could be listed in a colon-separated list starting with FIPS as follows FIPS:&lt;SUBPOLICY-NAME&gt;:&lt;SUBPOLICY-NAME&gt;. This is not a finding.\n\nIf the AD-SUPPORT subpolicy module is included (e.g., \"FIPS:AD-SUPPORT\"), and Active Directory support is not documented as an operational requirement with the information system security officer (ISSO), this is a finding.\n\nIf the NO-ENFORCE-EMS subpolicy module is included (e.g., \"FIPS:NO-ENFORCE-EMS\"), and not enforcing EMS is not documented as an operational requirement with the ISSO, this is a finding.\n\nVerify the current minimum crypto-policy configuration with the following commands:\n\n$ grep -E 'rsa_size|hash' /etc/crypto-policies/state/CURRENT.pol\nhash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256\nmin_rsa_size = 2048\n\nIf the \"hash\" values do not include at least the following FIPS 140-3 compliant algorithms  \"SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256\", this is a finding.\n\nIf there are algorithms that include \"SHA1\" or a hash value less than \"256\" this is a finding.\n\nIf the \"min_rsa_size\" is not set to a value of at least 2048, this is a finding.\n\nIf these commands do not return any output, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to use a FIPS 140-3 compliant systemwide cryptographic policy.\n\nCreate subpolicies for enhancements to the systemwide crypto-policy with the following commands:\n\nCreate or edit the SCOPES-AND-WILDCARDS policy module in a text editor and insert options that modify the systemwide cryptographic policy as follows:\n$ sudo vi /etc/crypto-policies/policies/modules/SCOPES-AND-WILDCARDS.pmod\n\nAdd the following lines to the policy:\n# Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK)\ncipher@TLS = -CHACHA20-POLY1305\n\n# Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH)\ncipher@SSH = -*-CBC\n\nCreate or edit the OPENSSH-SUBPOLICY module in a text editor and insert options that modify the systemwide crypto-policy as follows:\n$ sudo vi /etc/crypto-policies/policies/modules/OPENSSH-SUBPOLICY.pmod\n\nAdd the following lines to the policy:\n# Define ciphers for OpenSSH\ncipher@SSH=AES-256-GCM AES-128-GCM AES-256-CTR AES-128-CTR\n\n# Define MACs for OpenSSH\nmac@SSH=HMAC-SHA2-512 HMAC-SHA2-256\n\nCreate or edit the REQUIRE.pmod file and add the following lines to include the subpolicies in the FIPS configuration with the following command:\n\n$ sudo vi /etc/crypto-policies/policies/modules/REQUIRE.pmod\n\nAdd the following lines to REQUIRE.pmod:\n@OPENSSH-SUBPOLICY\n@SCOPES-AND-WILDCARDS\n\nApply the policy enhancements to the FIPS systemwide cryptographic policy level with the following command:\n\n$ sudo update-crypto-policies --set FIPS\n\nNote: If additional subpolicies are being employed, they should be added to the REQUIRE.pmod as well. REQUIRE.pmod is included in the systemwide crypto-policy when it is set.\n\nTo make the cryptographic settings effective for already running services and applications, restart the system:\n$ sudo reboot"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure System Cryptography Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml", "template": null}