Benchmark 3248135 1.6.5

1 votes

https://workbench.cisecurity.org/sections/3248135/recommendations/5315120

The example of remedy is reverted by the CIS script itself.
The example given on the page is "printf '%s\n' "# This is a subpolicy to disable weak macs" "mac = -*-128" >> /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod"

But the CIS workbench script, cis_lbk_suse_linux_enterprise_15_benchmark_v2.0.1/functions/recommendations/1-Initial_Setup/nix_fed_ensure_system_wide_crypto_policy_disables_macs_less_than_128bits.sh

overwrites this remedy and inserts mac = -*-64, causing the benchmark to warn for manual handling after each run as it has reverted the NO-WEAKMAC.pmod file to 64.

Part of script:
# Create NO-WEAKMAC.pmod
echo -e "- Creating NO-WEAKMAC.pmod" | tee -a "$LOG" 2>> "$ELOG"
echo -e "# This is a subpolicy to disable weak macs\nmac = -*-64" > /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod

Done Benchmark Community Suggestion Suggested by: Mino Polverino (04 Apr, '25) • Upvoted: 04 Apr, '25 • Comments: 1

Comments: 1
Oldest • Newest • Most likes • Fewest likes

21 Apr, '25
Moderator Admin
Hi Mino

thanks for that information. Can you please add a ticket for your suggestion on Workbench and that way the community can review the suggestion?

Please add a new ticket for the recommendation at the link https://workbench.cisecurity.org/benchmarks/21095/tickets

Regards

Chris

Benchmark 3248135 1.6.5

Comments: 1 Oldest • Newest • Most likes • Fewest likes

Comments: 1
Oldest • Newest • Most likes • Fewest likes