Crypto Config File Analysis
One misconfigured line in openssl.cnf undoes every other crypto control on the host. This catches it.
The problem
RHEL's crypto-policies system is designed to flip every cryptographic library on the host to a single coherent posture with one command. The same machinery makes it possible to flip them all the wrong way. A DEFAULT policy permits SHA-1, sub-2048-bit DH groups, and CBC-mode ciphers FIPS does not. LEGACY enables algorithms with active known weaknesses, often left in place from a one-off troubleshooting session that never got reverted.
openssl.cnf is the silent source of most FIPS regressions. Lines like Options = UnsafeLegacy or LEGACY = legacy_sect explicitly re-enable MD4, Blowfish, RC2, and other deprecated algorithms across every application linked against that OpenSSL. The contractor often cannot say who added the line, when, or which deployment script copied it forward into the gold image.
java.security determines what the entire JVM can negotiate. A jdk.tls.disabledAlgorithms list missing TLSv1, RC4, or 3DES_EDE_CBC means every Java application can fall back to non-FIPS suites silently, and contractors run more JVM applications than they realize once you count log shippers, build agents, and embedded tooling.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Audits the system-wide configuration that governs FIPS enforcement across every application,a single misconfigured line undoes the work of every other crypto agent.
Read in NIST 800-171 r2↗Treats RHEL crypto-policies, openssl.cnf, and java.security as security configuration baseline items per 3.4.2,the system-wide enforcement mechanism for cryptographic algorithm selection.
Read in NIST 800-171 r2↗Detects configuration that re-enables RC4, Blowfish, RC2, and MD4,algorithms that compromise transmission confidentiality regardless of TLS protocol version.
Read in NIST 800-171 r2↗Flags LEGACY crypto-policies as enabling algorithms with known weaknesses,a configuration-level flaw requiring remediation on a defined timeline.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Reads /etc/crypto-policies/config or /etc/crypto-policies/state/CURRENT.pol and validates the value is FIPS or a FIPS subpolicy. Parses /etc/ssl/openssl.cnf, /etc/pki/tls/openssl.cnf, and /usr/lib/ssl/openssl.cnf for fips_sect activation, the legacy provider, and Options = UnsafeLegacy. Locates conf/security/java.security across every common JDK install path and verifies jdk.tls.disabledAlgorithms covers SSLv3, TLSv1/1.1, RC4, DES, MD5withRSA, and 3DES_EDE_CBC end to end.
Limited surface, since Windows does not use the same system-wide crypto policy mechanism. Java configuration is audited the same way as Linux whenever JDK installs are present, and openssl.cnf is checked across every third-party OpenSSL build (Git for Windows, Cygwin, Strawberry Perl, vendored Python). Findings carry the install path so remediation is unambiguous.
Not applicable on this platform.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALRHEL crypto-policy set to LEGACYupdate-crypto-policies has explicitly enabled MD4, Blowfish, RC2, and other deprecated algorithms across every library on the host.
- HIGHRHEL crypto-policy set to DEFAULTPolicy permits SHA-1, DH groups below 2048 bits, and CBC mode ciphers FIPS does not allow. Remediation: sudo update-crypto-policies --set FIPS.
- HIGHopenssl.cnf has Options = UnsafeLegacyConfiguration explicitly enables non-FIPS algorithms in every application linked against this OpenSSL instance.
- HIGHopenssl.cnf loads the legacy providerLEGACY = legacy_sect re-enables MD4, RC2, RC5, and other algorithms specifically removed from the default provider for safety.
- MEDIUMjava.security disabledAlgorithms incompletejdk.tls.disabledAlgorithms is missing one or more of: SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, 3DES_EDE_CBC. JVM applications may negotiate the missing algorithms.
Crypto policy misconfigurations hit 3.13.11 (5 points) and 3.4.2 (3 points) simultaneously, and a CRITICAL LEGACY policy compounds into 3.14.1 (3 points) on top. Worst case is an 11-point combined exposure across three controls from a single misconfigured file the contractor never knew was deployed. The remediation is almost always one command. The cost of not finding it is paid in the assessor's report and a re-engagement fee.
How it hooks into the platform
Tolerance reads /etc/crypto-policies, openssl.cnf variants, and java.security on every host where they exist, on a cadence the platform sets, with no operator action. You choose whether parsed policy values stay on-prem or sync up. Findings populate the SSP's configuration management section with the policy file path, current value, required value, and remediation command. Because each result is treated as a configuration baseline item, the same finding lands in both the 3.13.11 and 3.4.2 evidence trails. POA&M items capture the specific config file so remediation is auditable; re-reads catch drift.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Audits crypto-policies, openssl.cnf, and java.security independently per host
- Returns platform-specific remediation commands inline with each finding
- Skips commented configuration lines so legitimate notes never trigger findings
- Operates strictly read-only against every configuration file
- Runs fully unprivileged on Linux from the contractor's existing service account
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.