← Rules Catalog
mediumsystemverified rollback-safe

Ensure system wide crypto policy disables MACs less than 128 bits

crypto-policy-strong-macs · RHEL ≥ 8 · 1 impl

Description

The system-wide crypto policy should disable Message Authentication Codes (MACs) that use less than 128 bits, as they provide insufficient security.

Rationale

MACs with less than 128 bits of security are vulnerable to brute force attacks with modern computing resources. Using stronger MACs ensures message integrity and authenticity.

Check → Remediate

Checkcommand
# CIS: the system-wide crypto policy's MAC list must contain no 64-bit
# truncated MAC (e.g. UMAC-64). Audit the effective policy directly, not
# an sshd proxy (sshd can be hardened while the policy still allows a
# weak MAC).
pol=/etc/crypto-policies/state/CURRENT.pol
if [ -f "$pol" ]; then
  if grep -iE '^[[:space:]]*mac[[:space:]]*=' "$pol" | grep -qiE '\-64([^0-9]|$)'; then
    echo "FAIL: a 64-bit MAC is enabled in the system crypto policy ($pol)"
    exit 1
  fi
  echo "OK: no 64-bit MACs in the system crypto policy"
  exit 0
fi
# No CURRENT.pol: fall back to the named policy (FIPS/FUTURE carry no -64 MAC).
case "$(update-crypto-policies --show 2>/dev/null)" in
  FUTURE*|FIPS*) echo "OK: named policy has no 64-bit MACs"; exit 0 ;;
esac
echo "FAIL: cannot verify the system crypto policy MAC list"
exit 1
expected_exit:
0
Remediatecrypto_policy_subpolicy
subpolicy:
NO-WEAKMAC
unless:
update-crypto-policies --show | grep -q ':NO-WEAKMAC'

Framework references

CIS

rhel9 1.6.4rhel8 1.6.3rhel10 1.6.3

NIST 800-53

SC-13SC-12

Live verification

rhel9:check
#crypto-policy#mac#security#cryptography