An error occurred:

Check: GEN005512

Solaris 10 X86 STIG: GEN005512 (in versions v2 r4 through v1 r17)

Title

The SSH client must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. (Cat II impact)

Discussion

DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. Satisfies: SRG-OS-000250, SRG-OS-000495, SRG-OS-000500

Check Content

Check the SSH client configuration for allowed MACs. Procedure: # grep -i macs /etc/ssh/ssh_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC that is not hmac-sha1 or a better hmac algorithm that is on the FIPS 140-2 approved list, this is a finding.

Fix Text

Edit the SSH client configuration and remove any MACs that are not hmac-sha1 or a better hmac algorithm that is on the FIPS 140-2 approved list. If necessary, add a MACs line.

Additional Identifiers

Rule ID: SV-227898r603266_rule

Vulnerability ID: V-227898

Group Title: SRG-OS-000250

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001453

Implement cryptographic mechanisms to protect the integrity of remote access sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17(2)

Protection of Confidentiality and Integrity Using Encryption