Hands-on lab – setting encryption policies on CentOS 8

Start with a fresh CentOS 8 VM and the scanner VM that you've been using. Now, follow these steps:

  1. On a CentOS 8 VM, use the update-crypto-policies utility to verify that it's running in DEFAULT mode:
sudo update-crypto-policies --show
  1. Scan the CentOS 8 VM in its DEFAULT configuration and save the output to a file:
sudo ssh_scan -t 192.168.0.161 -o ssh_scan-161.json
  1. On the CentOS 8 VM, set the system-wide crypto policy to FUTURE and reboot the VM:
sudo update-crypto-policies --set FUTURE
sudo shutdown -r now
  1. On the scanner VM, open the ~/.ssh/known_hosts file in your text editor. Delete the entry that was previously made for the CentOS 8 VM and save the file. (We have to do this because the public key fingerprint on the CentOS 8 VM will have changed because of the new policy.)
  1. Scan the CentOS 8 VM again, saving the output to a different file:
sudo ssh_scan -t 192.168.0.161 -o ssh_scan_results-161-FUTURE.json
  1. Compare the two output files. You should now see fewer enabled algorithms than you did previously.
  2. Look at the files in the /etc/crypto-policies/back-ends/ directory:
ls -l /etc/crypto-policies/back-ends/

You'll now see that the symbolic links point to files in the FUTURE directories.

  1. To set FIPS mode, you'll need to use another utility, because the update-crypto-policies utility doesn't install the extra modules that FIPS mode requires. First, verify that the system is not in FIPS mode:
sudo fips-mode-setup --check

You should see a message about not having FIPS modules installed.

  1. Enable FIPS mode, and then reboot:
sudo fips-mode-setup --enable
sudo shutdown -r now
  1. Verify that the VM is now in FIPS mode:
sudo fips-mode-setup --check
  1. Scan the CentOS VM again, saving the output to a new file:
sudo ssh_scan -t 192.168.0.161 -o ssh_scan_results-161-FIPS.json
  1. Compare the three output files and note the differences with the enabled algorithms.
  2. View the contents of the /etc/crypto-policies/back-ends/ directory. Note that the symbolic links now point to files in FIPS directories.
ls -l /etc/crypto-policies/back-ends/
In this demo, we set the FUTURE mode first, and then we set the FIPS mode. Keep in mind that, in real life, you won't do both. Instead, you'll do either one or the other.

You've reached the end of the lab – congratulations!

You now know how to configure SSH to use only the most modern, most secure algorithms. Next, let's look at logging.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.85.33