Check: ESXI-65-000010
VMware vSphere 6.5 ESXi STIG:
ESXI-65-000010
(in versions v2 r4 through v2 r2)
Title
The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions. (Cat II impact)
Discussion
Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Note: This does not imply FIPS 140-2 validation.
Check Content
Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell: # grep -i "^Ciphers" /etc/ssh/sshd_config If there is no output or the output is not exactly "Ciphers aes256-ctr,aes192-ctr,aes128-ctr", this is a finding.
Fix Text
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config": Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Additional Identifiers
Rule ID: SV-207611r766919_rule
Vulnerability ID: V-207611
Group Title: SRG-OS-000033-VMM-000140
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |