Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22458 | GEN005505 | SV-35216r1_rule | DCNR-1 | Medium |
Description |
---|
DoD information systems are required to use FIPS 140-2 approved ciphers. SSHv2 ciphers meeting this requirement are 3DES and AES. |
STIG | Date |
---|---|
HP-UX 11.23 Security Technical Implementation Guide | 2013-07-02 |
Check Text ( C-36633r1_chk ) |
---|
Check the SSH daemon configuration for allowed ciphers. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=Ciphers arg(s)= Default values include: "aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour,arcfour128,arcfour256blowfish-cbc,cast128-cbc". For this check, all keyword values ending with the suffix "-cbc" are disallowed, IE: 3des-cbc. As the vendor does not currently support 3des-ctr, the only current allowed keyword values begin with the prefix "aes" and terminate with the suffix "-ctr". Note: When the default "arg" value exactly matches the required "arg" value (see above), the Examine the file. # cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | egrep -i "ciphers" All ciphers present in the returned ciphers line entry must be prefixed by 3des or aes and end with the suffix "-ctr" or this is a finding. |
Fix Text (F-32003r1_fix) |
---|
Edit the configuration file and remove any ciphers that do not meet the following: 3des-ctr or aes-NNN-ctr (NNN=128, 192 or 256). If necessary, add the Ciphers entry with one or more of the above keyword values. |