On 11.10.19 22:40, Warren Young wrote:> On Oct 11, 2019, at 12:12 PM, Jerry Geis <jerry.geis at gmail.com> wrote: >> >> is there a script that is available that can be ran to bring >> a box up to current "accepted" levels ? > > I don?t know why you?d use a script for this at all. Just ship a new HTTPS configuration to each server. Apache loads all *.conf files in its configuration directory, so you might be able to just add another file to the existing config set. If not, then replace the existing config file instead.Instead of configuring every application separataly it would be nice if "accepted levels of security" could be set system wide. With 8 it seems there is such a thing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening Although I believe that FIPS mode is also available in 7 I did not used neither system wide cryptographic policies nor FIPS mode so my post is more the theoretical one, but I thought it is on topic. -- Kind Regards, Markus Falb
On Oct 12, 2019, at 4:06 AM, Markus Falb <markus.falb at fasel.at> wrote:> > On 11.10.19 22:40, Warren Young wrote: >> Just ship a new HTTPS configuration to each server. > > Instead of configuring every application separataly it would be nice if > "accepted levels of security" could be set system wide.?which implies that there is some authority that defines ?accepted level? the way you?d do it if you could be bothered to think through all of the use cases, combinations, and implications. Who is that central organization? Are you sure their notions match your own?> With 8 it seems there is such a thing > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening > > Although I believe that FIPS mode is also available in 7That?s FIPS 140-2, a standard from 2001, which is three TLS standards ago. FIPS 140-3 just barely became effective a few weeks ago, which means it won?t be considered for inclusion in RHEL until 9, which I don?t expect to appear until 3-4 years from now, by which time FIPS 140-2 will be around 21 years old. So, we not only have a situation where adopting FIPS 140-2 requires that you use badly outdated security technologies, it also means you might not be able to communicate with those that do support modern standards, if they?ve dropped compatibility with 2001 era tech sometime in the last 18 years. If we can be well-guided by past events, there?s a better than 50/50 chance that any given person on this list won?t even be in IT any more when FIPS 140-4 comes out.
On 12.10.19 19:33, Warren Young wrote:> On Oct 12, 2019, at 4:06 AM, Markus Falb <markus.falb at fasel.at> wrote: >> >> On 11.10.19 22:40, Warren Young wrote: >>> Just ship a new HTTPS configuration to each server. >> >> Instead of configuring every application separataly it would be nice if >> "accepted levels of security" could be set system wide. > > ?which implies that there is some authority that defines ?accepted level? the way you?d do it if you could be bothered to think through all of the use cases, combinations, and implications. > > Who is that central organization? Are you sure their notions match your own?You should have the authority discussion with OP who brought that thing with "accepted" up. On Oct 11, 2019, at 12:12 PM, Jerry Geis <jerry.geis at gmail.com> wrote: # # is there a script that is available that can be ran to bring # a box up to current "accepted" levels ? My post was about system wide configuration not about authorities. However, take a look at the subject of this thread. Who defines what is old ? What about best practices like disable SSLv3 or TLSv1? Could the authority be the community or some common knowledge?> >> With 8 it seems there is such a thing >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening >> >> Although I believe that FIPS mode is also available in 7 > > That?s FIPS 140-2, a standard from 2001, which is three TLS standards ago.If I look at the comparison table from the link above FIPS mode does not look that bad. I guess that I would get A rating from ssllabs.> > FIPS 140-3 just barely became effective a few weeks ago, which means it won?t be considered for inclusion in RHEL until 9, which I don?t expect to appear until 3-4 years from now, by which time FIPS 140-2 will be around 21 years old. > > So, we not only have a situation where adopting FIPS 140-2 requires that you use badly outdated security technologies, it also means you might not be able to communicate with those that do support modern standards, if they?ve dropped compatibility with 2001 era tech sometime in the last 18 years.I read you saying that FIPS 140-2 is not good enough. Apart from age, why? -- Kind Regards, Markus Falb