HIGH RHCOS (Node) H1: Crypto Policy P1

Verified CNF-21212 Compare Branch Synced: 2026-05-05

Overview

This remediation configures the system-wide cryptographic policy to disable SHA1, improving the security posture of RHCOS nodes by enforcing stronger cryptographic standards.

Settings

Setting Value Description
crypto-policy DEFAULT:NO-SHA1 System-wide crypto policy without SHA1

Implementation

The remediation applies a MachineConfig that sets the crypto policy via a systemd unit:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-crypto-policy-high
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    systemd:
      units:
        - name: configure-crypto-policy.service
          enabled: true
          contents: |
            [Unit]
            Description=Configure System Crypto Policy
            Before=sshd.service
            After=systemd-machine-id-commit.service
            ConditionFirstBoot=no

            [Service]
            Type=oneshot
            ExecStart=/usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
            RemainAfterExit=yes

            [Install]
            WantedBy=multi-user.target

Compliance Checks Remediated

This group addresses the following compliance checks:

Check Profile Description Docs
rhcos4-e8-worker-configure-crypto-policy E8 Configure system crypto policy (worker) 📖
rhcos4-e8-master-configure-crypto-policy E8 Configure system crypto policy (master) 📖

Source Remediation Files

  • high/rhcos4-e8-worker-configure-crypto-policy.yaml
  • high/rhcos4-e8-master-configure-crypto-policy.yaml

Verification

After applying the MachineConfig, verify the crypto policy on a node:

oc debug node/<node-name> -- chroot /host update-crypto-policies --show
# Expected output: DEFAULT:NO-SHA1

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Setting Scope Target Repo Target File Rationale Risk
DEFAULT:NO-SHA1 crypto policy RAN openshift/os Crypto policy preset in base image RHCOS ships DEFAULT policy. E8 requires NO-SHA1 sub-policy. Hardened container hosts should not use SHA1.
Scope: General OCP clusters may need DEFAULT policy for broad TLS compatibility. NO-SHA1 is a hardening choice. 		Low
All Groups H2 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only