Check: SLES-15-040450
SUSE Linux Enterprise Server 15 STIG:
SLES-15-040450
(in version v1 r13)
Title
The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms. (Cat II impact)
Discussion
Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.
Check Content
Verify the SSH server is configured to use only FIPS-validated key exchange algorithms: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms' KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.
Fix Text
Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the "sshd" service for changes to take effect: $ sudo systemctl restart sshd
Additional Identifiers
Rule ID: SV-255920r951650_rule
Vulnerability ID: V-255920
Group Title: SRG-OS-000250-GPOS-00093
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |