Navigate

Check: SLEM-05-255045

SUSE Linux Enterprise Micro (SLEM) 5 STIG: SLEM-05-255045 (in version v1 r1)

Title

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections. (Cat I impact)

Discussion

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.

Check Content

Verify that SLEM 5 implements DOD-approved encryption to protect the confidentiality of SSH remote connections with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ciphers' /etc/ssh/sshd_config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the line is commented out, or the "Ciphers" keyword is missing, or conflicting results are returned, this is a finding.

Fix Text

Configure the SSH server to only implement FIPS 140-2/140-3 approved ciphers. Add or modify the following line in the "/etc/ssh/sshd_config" file: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: > sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-261334r996467_rule

Vulnerability ID: V-261334

Group Title: SRG-OS-000033-GPOS-00014

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000068	Implement cryptographic mechanisms to protect the confidentiality of remote access sessions.
CCI-000877	Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.
CCI-001453	Implement cryptographic mechanisms to protect the integrity of remote access sessions.
CCI-002890	Implement organization-defined cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-17(2)	Protection of Confidentiality / Integrity Using Encryption
MA-4	Nonlocal Maintenance
MA-4(6)	Cryptographic Protection