mediumsystemverified ✓rollback-safe
Ensure system wide crypto policy disables MACs less than 128 bits
crypto-policy-strong-macs · RHEL ≥ 8 · 1 impl
Description
The system-wide crypto policy should disable Message Authentication Codes (MACs) that use less than 128 bits, as they provide insufficient security.
Rationale
MACs with less than 128 bits of security are vulnerable to brute force attacks with modern computing resources. Using stronger MACs ensures message integrity and authenticity.
Check → Remediate
Checkcommand
# CIS: the system-wide crypto policy's MAC list must contain no 64-bit
# truncated MAC (e.g. UMAC-64). Audit the effective policy directly, not
# an sshd proxy (sshd can be hardened while the policy still allows a
# weak MAC).
pol=/etc/crypto-policies/state/CURRENT.pol
if [ -f "$pol" ]; then
if grep -iE '^[[:space:]]*mac[[:space:]]*=' "$pol" | grep -qiE '\-64([^0-9]|$)'; then
echo "FAIL: a 64-bit MAC is enabled in the system crypto policy ($pol)"
exit 1
fi
echo "OK: no 64-bit MACs in the system crypto policy"
exit 0
fi
# No CURRENT.pol: fall back to the named policy (FIPS/FUTURE carry no -64 MAC).
case "$(update-crypto-policies --show 2>/dev/null)" in
FUTURE*|FIPS*) echo "OK: named policy has no 64-bit MACs"; exit 0 ;;
esac
echo "FAIL: cannot verify the system crypto policy MAC list"
exit 1
- expected_exit:
- 0
Remediatecrypto_policy_subpolicy
- subpolicy:
- NO-WEAKMAC
- unless:
- update-crypto-policies --show | grep -q ':NO-WEAKMAC'
Framework references
CIS
rhel9 1.6.4rhel8 1.6.3rhel10 1.6.3
NIST 800-53
SC-13SC-12
Live verification
rhel9:check
#crypto-policy#mac#security#cryptography