← Rules Catalog
criticalsystemverified

Ensure system-wide crypto policy is not overridden

crypto-policy-not-overridden · RHEL 8 · 1 impl

Description

Individual application crypto settings must not override the system-wide cryptographic policy set by crypto-policies. The policy must be applied consistently across all subsystems.

Rationale

If individual applications override the system-wide crypto policy, they may use weaker algorithms than required. RHEL 8 must be configured so the system-wide policy is enforced for all applications.

Check → Remediate

Checkcommand
update-crypto-policies --show 2>/dev/null
expected_stdout:
FIPS
Remediatemanual
note:
Review and remove any application-specific crypto policy overrides. Run: update-crypto-policies --set FIPS to apply the FIPS policy. Remove any --set or --set-scope overrides in /etc/crypto-policies/.

Framework references

STIG

V-279932

NIST 800-53

SC-13AC-17

Live verification

rhel8:check
#crypto-policies#fips#cryptography