Skip to content

Commit

Permalink
corrections from checking output
Browse files Browse the repository at this point in the history
  • Loading branch information
taroth21 committed Aug 11, 2023
1 parent 50fef5b commit b0176c7
Showing 1 changed file with 38 additions and 41 deletions.
79 changes: 38 additions & 41 deletions xml/security_cryptopolicy.xml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="cha-security-cryptopolicy">
xml:id="cha-security-cryptopolicies">
<!--taroth 2023-04-28
Main ToDos (based on https://bugzilla.suse.com/show_bug.cgi?id=1209998#c7)
* add new chapter to Security Guide, describe also integration
Expand All @@ -20,19 +20,19 @@
<info>
<abstract>
<para>
bla
TODO
</para>
</abstract>
<dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
<dm:bugtracker></dm:bugtracker>
<dm:translation>yes</dm:translation>
</dm:docmanager>
</info>
<sect1 xml:id="sec-security-cryptopolicy-oview">
<title>Conceptual overview</title>
<sect1 xml:id="sec-security-cryptopolicies-concept">
<title>The <command>crypto-policies</command> concept</title>

<para>
The <package>crypto-policies</package> RPM package provides pre-built
The <package>crypto-policies</package> RPM package provides predefined
configuration files with cryptographic policies for cryptographic
back-ends, such as SSL/TLS libraries. This package allows to set the
cryptographic security level for all applications that use a
Expand All @@ -43,16 +43,16 @@
Crypto-policies apply to the configuration of the core cryptographic
subsystems. They cover the supported secure communications protocols on
the base operating system, such as TLS, IKE, IPSec, DNSSec and Kerberos
protocols. Having crypto-policies allows to easily handle the deprecation
of algorithms or protocols system-wide and in a transparent manner.
protocols. Crypto-policies allow to handle the deprecation of algorithms
or protocols system-wide and in a transparent manner.
</para>
</sect1>
<sect1>
<title>Predefined policy levels</title>
<sect1 xml:id="sec-security-cryptopolicies-predefined">
<title>Predefined cryptographic policies</title>

<para>
The <package>crypto-policies</package> package comes with the following
predefined policy levels:
predefined policies that can be applied system-wide:
</para>

<variablelist>
Expand Down Expand Up @@ -118,20 +118,21 @@
and are read-only.
</para>
</sect1>
<sect1>
<title>Switching to a different crypto-policy level</title>
<sect1 xml:id="sec-security-cryptopolicies-switch">
<title>Switching to a different crypto-policy</title>

<para>
Use the <command>update-crypto-policies</command> to set the policy level
which is applied to the cryptographic back-ends. It is the default policy
used by these back-ends unless the application user configures them
Use the <command>update-crypto-policies</command> command to view and set
the policy which is applied system-wide to the cryptographic back-ends.
The policy which has been set with this command is used by these
back-ends by default unless the application user configures them
otherwise.
</para>

<procedure>
<step>
<para>
To check the crypto-policy level that is currently in use:
To check the crypto-policy that is currently in use:
</para>
<screen>&prompt.root;<command>update-crypto-policies --show</command></screen>
</step>
Expand All @@ -140,28 +141,28 @@
To switch to a different policy level, use the <option>--set</option>
option:
</para>
<screen>update-crypto-policies --set <replaceable>POLICY</replaceable></screen>
<remark>taroth 2023-07-04: do we need a word of caution here for LEGACY and FIPS?
and can we tell that switching to 'LEGACY' enables compatibility with a specific
older SLE version, like SLE 12 SP5 or so?
</remark>
<important>
<title>LEGACY crypto-policy level is less secure</title>
<title>LEGACY crypto-policy is less secure</title>
<para>
Switching to a LEGACY crypto-policy level makes your system and
Switching to a LEGACY crypto-policy makes your system and
applications less secure.
</para>
</important>
</step>
<step>
<para>
After switching to a different policy level restart the system to
apply the changes to the applications.
After switching to a different policy reboot the machine to apply the
changes to the applications:
</para>
<screen>&prompt.root;<command>reboot</command></screen>
</step>
</procedure>
</sect1>
<sect1>
<sect1 xml:id="sec-security-cryptopolicies-subpolicies">
<title>Customizing existing crypto-policies</title>

<para>
Expand All @@ -178,10 +179,10 @@
<filename>/usr/share/crypto-policies/policies/modules</filename>.
However, your own subpolicies need to be stored in
<filename>/etc/crypto-policies/policies/modules</filename> (unless they
are packaged). The name of the subpolicy file must be
are packaged). Name the subpolicy file
<filename><replaceable>MODULE</replaceable>.pmod</filename>, where
<replaceable>MODULE</replaceable> is the name of the subpolicy. It needs
to be spelled in uppercase letters and without spaces.
<replaceable>MODULE</replaceable> is the name of the subpolicy. The file
name needs to be spelled in uppercase letters and without spaces.
</para>

<example xml:id="ex-crypto-policy-subpolicy">
Expand All @@ -200,10 +201,11 @@
In <filename>/etc/crypto-policies/policies/modules/</filename>
create a new file, named <filename>NO-RSA-PSK.pmod</filename>.
</para>
<screen>&prompt.root;<command>touch</command> /etc/crypto-policies/policies/modules/NO-RSA-PSK.pmod</screen>
</step>
<step>
<para>
Add the following line and save the file afterwards:
Add the following line to the file and save it afterwards:
</para>
<screen>key_exchange = -RSA -PSK</screen>
<para>
Expand All @@ -224,13 +226,13 @@
Double-check if the subpolicy has been added to
<literal>DEFAULT</literal>:
</para>
<screen><command>update-crypto-policies --show</command>
<screen>&prompt.root;<command>update-crypto-policies --show</command>
DEFAULT:NO-RSA-PSK</screen>
</step>
<step>
<para>
Reboot the system to apply the system-wide policy adjustment to the
applications:
Reboot the machine to apply the system-wide policy adjustment to
the applications:
</para>
<screen>&prompt.root;<command>reboot</command></screen>
</step>
Expand All @@ -249,7 +251,8 @@ DEFAULT:NO-RSA-PSK</screen>
<filename>/etc/crypto-policies/policies/</filename>. Name your file
<filename><replaceable>MY_POLICY</replaceable>.pol</filename>, where
<replaceable>MY_POLICY</replaceable> is the name of the policy. Make sure
it is owned by &rootuser; and is not writable by non-privileged users.
the policy file is owned by &rootuser; and is not writable by
non-privileged users.
</para>

<example xml:id="ex-crypto-policy-custom">
Expand All @@ -264,7 +267,7 @@ DEFAULT:NO-RSA-PSK</screen>
Copy the <literal>DEFAULT</literal> policy to
<filename>/etc/crypto-policies/policies/</filename> and rename it:
</para>
<screen>cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
<screen>&prompt.root;<command>cp</command> /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
</step>
<step>
<para>
Expand All @@ -275,28 +278,22 @@ DEFAULT:NO-RSA-PSK</screen>
<para>
Switch the system to the new policy:
</para>
<screen>&prompt.root;<command>update-crypto-policies --set MY_POLICY</command></screen>
<screen>&prompt.root;<command>update-crypto-policies --set</command> MY_POLICY</screen>
</step>
<step>
<para>
Reboot the system to apply the new policy to the
applications and running services:
Reboot the machine to apply the new policy to the applications and
running services:
</para>
<screen>&prompt.root;<command>reboot</command></screen>
</step>
<step>
<para>
Double-check if the policy is active:
</para>
<screen><command>update-crypto-policies --show</command>
<screen>&prompt.root;<command>update-crypto-policies --show</command>
MY_POLICY</screen>
</step>
<step>
<para>
Reboot the system to apply the system-wide policy adjustment to the
applications.
</para>
</step>
</procedure>
</example>
</sect1>
Expand Down

0 comments on commit b0176c7

Please sign in to comment.