{"description": "Crypto Policies provide a centralized control over crypto algorithms usage of many packages.\nLibreswan is supported by system crypto policy, but the Libreswan configuration may be\nset up to ignore it.\n\nTo check that Crypto Policies settings are configured correctly, ensure that the <tt>/etc/ipsec.conf</tt>\nincludes the appropriate configuration file.\nIn <tt>/etc/ipsec.conf</tt>, make sure that the following line\nis not commented out or superseded by later includes:\n<tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>", "rationale": "Overriding the system crypto policy makes the behavior of the Libreswan\nservice violate expectations, and makes system configuration more\nfragmented.", "severity": "high", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["CM-6(a)", "MA-4(6)", "SC-13", "SC-12(2)", "SC-12(3)"], "pcidss": ["Req-2.2"], "srg": ["SRG-OS-000033-GPOS-00014"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"IPsec\" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>", "ocil": "Verify that the IPSec service uses the system crypto policy.\n\nIf the ipsec service is not installed is not applicable.\n\nCheck to see if the \"IPsec\" service is active with the following command:\n\n$ systemctl status ipsec\n\nipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec\nLoaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)\nActive: inactive (dead)\n\nIf the \"IPsec\" service is active, check to see if it is using the system crypto policy with the following command:\n\n$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf\n\n/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config", "oval_external_content": null, "fixtext": "Configure Libreswan to use the system cryptographic policy.\n\nAdd the following line to \"/etc/ipsec.conf\":\ninclude /etc/crypto-policies/back-ends/libreswan.config", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.", "vuldiscussion": "Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.", "checktext": "Verify that the IPsec service uses the system crypto policy with the following command:\n\nNote: If the ipsec service is not installed, this requirement is Not Applicable.\n\n$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf\n\n/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config\n\nIf the ipsec configuration file does not contain \"include /etc/crypto-policies/back-ends/libreswan.config\", this is a finding.", "fixtext": "Configure Libreswan to use the system cryptographic policy.\n\nAdd the following line to \"/etc/ipsec.conf\":\n\ninclude /etc/crypto-policies/back-ends/libreswan.config"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure Libreswan to use System Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml", "template": null}