Red Hat Enterprise Linux 6 STIG Version Comparison

There are 9 differences between versions v1 r26 (July 24, 2020) (the "left" version) and v2 r2 (Jan. 22, 2021) (the "right" version).

Check RHEL-06-000244 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Check Content

Verify sshd is configured to use FIPS 140-2 approved Message Authentication Codes (MACs): # grep -i "mac" /etc/ssh/sshd_config | grep -v '^#' MACs hmac-sha2-512,hmac-sha2-256 If the output contains MACs that are not FIPS-approved, or does not return a value, this is a finding.

Discussion

Approved algorithms required for compliance must impart some level of confidence in their implementation.

Fix

Configure sshd to use only FIPS-approved Message Authentication Codes.