Title

The RHEL 6 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. (Cat II impact)

Discussion

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.

Check Content

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.

Fix Text

Limit the ciphers to those algorithms which are FIPS-approved. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Note: The man page "sshd_config(5)" contains a list of supported ciphers.

Additional Identifiers

Rule ID: SV-218004r603822_rule

Vulnerability ID: V-218004

Group Title: SRG-OS-000033

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.