Check: RHEL-06-000244
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000244
(in versions v2 r1 through v1 r24)
Title
The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. (Cat II impact)
Discussion
Approved algorithms required for compliance must impart some level of confidence in their implementation.
Check Content
Verify sshd is configured to use FIPS 140-2 approved Message Authentication Codes (MACs): # grep -i "mac" /etc/ssh/sshd_config | grep -v '^#' MACs hmac-sha2-512,hmac-sha2-256 If the output contains MACs that are not FIPS-approved, or does not return a value, this is a finding.
Fix Text
Configure sshd to use only FIPS-approved Message Authentication Codes.
Additional Identifiers
Rule ID: SV-218005r505923_rule
Vulnerability ID: V-218005
Group Title: SRG-OS-000033
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
| CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
| CCI-001144 |
The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |