Check: ESXI-67-000010
VMware vSphere 6.7 ESXi STIG:
ESXI-67-000010
(in versions v1 r3 through v1 r1)
Title
The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions. (Cat II impact)
Discussion
Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to algorithms that are FIPS approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
Check Content
To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell: # grep -i "^FipsMode" /etc/ssh/sshd_config or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.security.fips140.ssh.get.invoke() If there is no output or the output is not exactly "FipsMode yes" over SSH, or enabled is not "true" over PowerCLI, this is a finding.
Fix Text
Limit the ciphers to FIPS-approved algorithms. From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": FipsMode yes or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs() $arguments.enable = $true $esxcli.system.security.fips140.ssh.set.Invoke($arguments)
Additional Identifiers
Rule ID: SV-239267r674730_rule
Vulnerability ID: V-239267
Group Title: SRG-OS-000033-VMM-000140
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |