Security

System-wide crypto policy

In the Enterprise IT, the security landscape is constantly evolving. Without robust cryptographic integrity protections, information can be altered by unauthorized users without detection. With Red Hat Enterprise Linux 8.0 the system-wide crypto policy was introduced. This component configures the core cryptographic subsystems, covering TLS, IPSec, DNSSec, Kerberos, and secure communication protocols. This allows to apply a consistent cryptographic policy at scale. The predefined policies are DEFAULT, LEGACY, FUTURE, FIPS. The default system-wide crypto policy is set to DEFAULT by Red Hat. Beside the vendor-specific policies, it is possible to specify customized crypto policies.

More information here: System-wide crypto policiesopen in new window

Swisscom crypto policy for RHEL 8 and RHEL 9

On Swisscom RHEL 8 and Swisscom RHEL 9 VMs, the SWISSCOM customized crypto policy is enabled and enforced with Ansible. You can check the enabled crypto policy by using the update-crypto-policies tool:

$ update-crypto-policies --show
SWISSCOM

The table below shows the relevant differences between the SWISSCOM and the vendor-specific DEFAULT crypto policy. The enabled SWISSCOM crypto policy is a conservative policy for today’s security standards. It allows the TLS 1.2 and 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047 respectively 3071 bits. The policy provides at least 128-bit security, except for SHA-1 signatures needed for DNSSec and other still prevalent legacy use of SHA-1 signatures.

SWISSCOM PolicyDEFAULT Policy RHEL 8DEFAULT Policy RHEL 9
TLS v1.0nonono
TLS v1.1nonono
TLS v1.2yesyesyes
TLS v1.3yesyesyes
Internet Key Exchange (IKE) v1nonono
Internet Key Exchange (IKE) v2yesyesyes
Diffie-Hellman (DH) key sizemin. 2048-bitmin. 2048-bitmin. 2048-bit
DSA key sizemin. 3072-bitmin. 2048-bitN/A (no DSA)
RSA key sizemin. 3072-bitmin. 2048-bitmin. 2048-bit
SHA-1 in digital signaturesyesyesno
OpenSSH certificate authenticationyesyesyes
OpenSSH EtM (encrypt-then-mac) extensionyesyesyes
Message Authentication Code (MAC)all HMAC with SHA-256 or betterall HMAC with SHA-1 or betterall HMAC with SHA-1 or better
Cryptographic hashall with SHA-256 hash or betterall with SHA-1 hash or betterall with SHA-224 hash or better (no DSA)
Signature algorithmall with SHA-256 hash or better (no DSA)all with SHA-1 hash or better (no DSA)all with SHA-224 hash or better (no DSA)
Key exchange algorithmECDHE, RSA, DHE, DHE-RSAECDHE, RSA, DHE, DHE-RSA, PSK, DHE-PSK, ECDHE-PSK, ECDHE-GSS, DHE-GSSECDHE, RSA, DHE (no DHE-DSS)
TLS ciphersmin. 256-bit key, min. 128-bit block, including AES, ChaCha20, AES-CBCmin. 128-bit key, min. 128-bit block, including AES, ChaCha20, AES-CBCmin. 128-bit key, min. 128-bit block (AES, ChaCha20)
Non-TLS cipherssame as TLS ciphers with added Camelliasame as TLS ciphers with added Camelliamin. 128-bit key, min. 128-bit block (AES, ChaCha20)
Groups or elliptic curvesall prime >= 255 bits (including Bernstein curves)all prime >= 255 bits (including Bernstein curves)all prime >= 255 bits (including Bernstein curves)

Exception for Crypto policies

If you have an approved security exception and you want to customize the SWISSCOM crypto policy this is documented in this howto-article.

Controlling access to crontab command for users

On Managed RHEL the OS hardening blocks users to perform crontab command tasks such as creating, editing, displaying, or removing their own crontab files. To allow this for a specific user the username must be added to the file /etc/cron.allow

$ echo <username> |sudo tee -a /etc/cron.allow
Last Updated: