Check: ESXI-67-100010
VMware vSphere 6.7 ESXi STIG:
ESXI-67-100010
(in version v1 r1)
Title
The ESXi host SSH daemon must be configured to only use FIPS 140-2 approved ciphers. (Cat II impact)
Discussion
Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.
Check Content
Verify that only FIPS-approved ciphers are used by running the following command: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output, or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr", this is a finding.
Fix Text
Limit the ciphers to algorithms that are FIPS approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Additional Identifiers
Rule ID: SV-239331r674922_rule
Vulnerability ID: V-239331
Group Title: SRG-OS-000478-VMM-001980
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
Controls
Number | Title |
---|---|
SC-13 |
Cryptographic Protection |