An XCCDF Group - A logical subset of the XCCDF Benchmark
update-crypto-policies
crypto-policies
$ sudo yum install crypto-policies
/etc/named.conf
options
include "/etc/crypto-policies/back-ends/bind.config";
$ sudo update-crypto-policies --set
/etc/crypto-policies/back-ends
/etc/crypto-policies/back-ends/gnutls.config
+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
/etc/ipsec.conf
include /etc/crypto-policies/back-ends/libreswan.config
/etc/pki/tls/openssl.cnf
ini
[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config MinProtocol = TLSv1.2
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2
CRYPTO_POLICY
/etc/sysconfig/sshd
opensslcnf-xxx.config
xxx
/etc/crypto-policies/local.d
/etc/crypto-policies/back-ends/opensslcnf.config
Ciphersuites
/etc/ssh/ssh_config.d/
05-redhat.conf
02-ospp.conf
/etc/crypto-policies/back-ends/openssh.config
Ciphers
/etc/crypto-policies/back-ends/opensshserver.config
-oCiphers=
opensshserver-xxx.config
MACs
-oMACS=
openssl
-rand /dev/random
/etc/profile.d/openssl-rand.sh
# provide a default -rand /dev/random option to openssl commands that # support it # written inefficiently for maximum shell compatibility openssl() ( openssl_bin=/usr/bin/openssl case "$*" in # if user specified -rand, honor it *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; esac cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` for i in `$openssl_bin list -commands`; do if $openssl_bin list -options "$i" | grep -q '^rand '; then cmds=" $i $cmds" fi done case "$cmds" in *\ "$1"\ *) cmd="$1"; shift exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; esac exec $openssl_bin "$@" )