From 98adf66aa477dad60f8efeb62d66db47f03f0106 Mon Sep 17 00:00:00 2001 From: Tanja Roth Date: Fri, 11 Aug 2023 16:15:20 +0200 Subject: [PATCH] create new policy --- xml/security_cryptopolicy.xml | 75 +++++++++++++++++++++++++++++++---- 1 file changed, 68 insertions(+), 7 deletions(-) diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml index f6a92fec98..97c5b21d03 100644 --- a/xml/security_cryptopolicy.xml +++ b/xml/security_cryptopolicy.xml @@ -114,7 +114,7 @@ policies, therefore see the man page of crypto-policies. All predefined policies are located in - /usr/share/crypto-policies/policiesNAME.pol + /usr/share/crypto-policies/policies/NAME.pol and are read-only. @@ -178,8 +178,8 @@ /usr/share/crypto-policies/policies/modules. However, your own subpolicies need to be stored in /etc/crypto-policies/policies/modules (unless they - are packaged) . The name of the subpolicy file must be - MODULE.pmod, where + are packaged). The name of the subpolicy file must be + MODULE.pmod, where MODULE is the name of the subpolicy. It needs to be spelled in uppercase letters and without spaces. @@ -216,7 +216,6 @@ Assuming the current system-wide policy is DEFAULT and you want to apply the newly created subpolicy to DEFAULT: - command: &prompt.root;update-crypto-policies --set DEFAULT:NO-RSA-PSK @@ -226,17 +225,79 @@ DEFAULT: update-crypto-policies --show - DEFAULT:NO-RSA-PSK +DEFAULT:NO-RSA-PSK Reboot the system to apply the system-wide policy adjustment to the - applications. + applications: +&prompt.root;reboot + + + Creating a new policy from scratch + + + Instead of customizing an existing crypto-policy with a subpolicy you can + also decide to write a new policy from scratch. You can use any of the + predefined policies in + /usr/share/crypto-policies/policies/ as a starting + point. However, your own policy file needs to be stored in + /etc/crypto-policies/policies/. Name your file + MY_POLICY.pol, where + MY_POLICY is the name of the policy. Make sure + it is owned by &rootuser; and is not writable by non-privileged users. + - + + Creating a new policy and applying it + + The following example shows you how to create a new policy based on the + DEFAULT policy. + + + + + Copy the DEFAULT policy to + /etc/crypto-policies/policies/ and rename it: + +cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MY_POLICY.pol + + + + Edit the policy as desired and save it. + + + + + Switch the system to the new policy: + +&prompt.root;update-crypto-policies --set MY_POLICY + + + + Reboot the system to apply the new policy to the + applications and running services: + +&prompt.root;reboot + + + + Double-check if the policy is active: + +update-crypto-policies --show +MY_POLICY + + + + Reboot the system to apply the system-wide policy adjustment to the + applications. + + + +