← Rules Catalog
mediumsystemverified rollback-safe

Ensure system wide crypto policy disables SHA1 hash and signature support

crypto-policy-no-sha1 · RHEL ≥ 8 · 1 impl

Description

The effective system-wide crypto policy must disable SHA1 for hashing, signatures, and certificate validation. This is verified by inspecting the compiled policy state in /etc/crypto-policies/state/CURRENT.pol, not the policy name. HMAC-SHA1 is not affected per CIS guidance, as HMAC does not rely on collision resistance.

Rationale

SHA-1 collision attacks are practical and publicly demonstrated. Allowing SHA-1 for hashing or signatures enables forgery of certificates, code signatures, and other authenticated data. The sha1_in_certs directive must also be disabled to prevent acceptance of SHA-1-signed certificates.

Check → Remediate

Checkcomposed · 2 sub-checks (all must pass)
1. command:
run=awk -F= '($1~/(hash|sign)/ && $2~/SHA1/ && $2!~/^\s*-\s*([^#\n\r]+)?SHA1/){print}' /etc/crypto-policies/state/CURRENT.pol expected_exit=0 expected_stdout=
2. command:
run=grep -Psi -- '^\h*sha1_in_certs\h*=\h*' /etc/crypto-policies/state/CURRENT.pol | grep -q '= 0' expected_exit=0
Remediatefile_content
path:
/etc/crypto-policies/policies/modules/NO-SHA1.pmod
content:
# Subpolicy dropping SHA1 hash and signature support hash = -SHA1 sign = -*-SHA1 sha1_in_certs = 0
owner:
root
group:
root
mode:
0644

Framework references

CIS

rhel8 1.6.2rhel9 1.6.3rhel10 1.6.2

NIST 800-53

SC-13SC-12MA-4(6)

Live verification

rhel10:checkrhel8:checkrhel9:check
#crypto-policy#sha1#security#cryptography