Example default security.cfg file
Last updated on Jun 09, 2022
Here is an example of the contents of the default security.cfg file (generated on the Makito X4 Encoder, v1.4.2):
$ vicfg security.cfg
##
## WARNING
## Many settings of this file are modified by the security commands and Web pages
## This is the case for most sections with no comments
##
[AUDIT]
Enabled=No
Transport=UDP
Server=
Trusted=All
Fingerprint=
[MFR]
Persist=Yes
Remote=Yes
[BANNER]
Enabled=No
[CERTIFICATE]
##
## Self-Signed Certificate and CSR Generation Private Key (Default=RSA:2048)
## DSA:{1024|2048}
## ECC:{256|384|521} (Elliptic Curves NIST P-256, P-384, P-521)
## RSA:{1024|2048|3072|4096}
GenKey=RSA:2048
##
## Self-Signed Certificate and CSR Generation Authentication (Default=sha1)
## sha1, sha256, or sha384
GenMac=sha256
##
## Self-signed certificate validity in days (Default=825)
## Duration of certificate issued after July 1st 2019 must not exceed 825 days (NKE-3028)
GenDays=825
[CRYPTO]
##
## Crypto Compliance defines FIPS mode, SSH, and TLS settings
## Compliance Profiles are defined in compliance.defs (read-only)
## None : Enables the SSH and TLS sections of this file (custom profiles)
## FIPS140 : Enable FIPS mode and use FIPS 140-2 approved algorithms only
## NDPP11 : NIAP Network Device Protection Profile v1.1
## SP800-52R1 : (Deprecated)
## SP800-52R2 : NIST SP800-52 Revision 2 TLS Guidelines Compliance=None
Compliance=None
##
## The other settings of this section apply only if CRYPTO Compliance=None
##
FipsMode=No
[HTTPS]
HSTS=No
#HSTS.MaxAge=31536000
#HSTS.IncludeSubDomains=No
#HSTS.Preload=No
[PASSWORD]
Quality=Basic
MinLen=6
MinUppers=0
MinDigits=0
MinSymbols=0
MinDays=0
WarnAge=7
Expiry=No
MaxDays=90
[SESSION]
AutoLogout=No
IdleTimeout=15
LimitPerRole=4
[SSH]
##
## The SSH2 host keys below are deleted and/or generated upon reboot if their length changed.
## These settings overwrite the default length defined by the compliance profile if stronger or 0.
## Supported key lengths (0 means no key):
## DSA : 0, 1024
## ECC : 0, 256, 384, 521
## RSA : 0, 2048, 3072, 4096
SSH2.KeyDSA=0
#SSH2.KeyECC=256
#SSH2.KeyRSA=2048
##
## The SSH settings below apply only if CRYPTO Compliance=None
##
## Set Key Exchange, Ciphers, and MACs using OpenSSH syntax.
## See sshd_config(5) KexAlgorithms, Ciphers, MACs.
#SSH2.Kex=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffi
#SSH2.Ciphers=aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-
#SSH2.MACs=hmac-sha2-256,hmac-sha2-512,hmac-sha1
[TLS]
##
## The settings of this section apply only if CRYPTO Compliance=None
## except for TLS versions that can be disabled at all time (at least one must remain)
##
SSLv3=No
TLSv1.0=Yes
TLSv1.1=Yes
TLSv1.2=Yes
## Set ciphersuites using OpenSSL syntax. Test with 'openssl ciphers -v <ciphersuites>'
#TLS.CipherSuites=ECDH+AESGCM,EDH+AESGCM,ECDH+AES256,EDH+AES256,ECDH+AES128,EDH+AES128,ECDH+3DES,EDH+3DES,RSA
#TLS.FingerprintHash=SHA1