Check: RHEL-06-000243
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000243
(in versions v2 r1 through v1 r25)
Title
The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. (Cat II impact)
Discussion
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
Check Content
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc If any ciphers listed are not FIPS-approved, this is a finding.
Fix Text
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Note: The man page "sshd_config(5)" contains a list of supported ciphers.
Additional Identifiers
Rule ID: SV-218004r505923_rule
Vulnerability ID: V-218004
Group Title: SRG-OS-000033
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
| CCI-001144 |
The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
| CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |