mediumsystemverified ✓rollback-safe
Ensure system wide crypto policy disables SHA1 hash and signature support
crypto-policy-no-sha1 · RHEL ≥ 8 · 1 impl
Description
The effective system-wide crypto policy must disable SHA1 for hashing, signatures, and certificate validation. This is verified by inspecting the compiled policy state in /etc/crypto-policies/state/CURRENT.pol, not the policy name. HMAC-SHA1 is not affected per CIS guidance, as HMAC does not rely on collision resistance.
Rationale
SHA-1 collision attacks are practical and publicly demonstrated. Allowing SHA-1 for hashing or signatures enables forgery of certificates, code signatures, and other authenticated data. The sha1_in_certs directive must also be disabled to prevent acceptance of SHA-1-signed certificates.
Check → Remediate
Checkcomposed · 2 sub-checks (all must pass)
- 1. command:
- run=awk -F= '($1~/(hash|sign)/ && $2~/SHA1/ && $2!~/^\s*-\s*([^#\n\r]+)?SHA1/){print}' /etc/crypto-policies/state/CURRENT.pol expected_exit=0 expected_stdout=
- 2. command:
- run=grep -Psi -- '^\h*sha1_in_certs\h*=\h*' /etc/crypto-policies/state/CURRENT.pol | grep -q '= 0' expected_exit=0
Remediatefile_content
- path:
- /etc/crypto-policies/policies/modules/NO-SHA1.pmod
- content:
- # Subpolicy dropping SHA1 hash and signature support hash = -SHA1 sign = -*-SHA1 sha1_in_certs = 0
- owner:
- root
- group:
- root
- mode:
- 0644
Framework references
CIS
rhel8 1.6.2rhel9 1.6.3rhel10 1.6.2
NIST 800-53
SC-13SC-12MA-4(6)
Live verification
rhel10:checkrhel8:checkrhel9:check
#crypto-policy#sha1#security#cryptography