The Oracle Linux 6 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-219561 | OL6-00-000243 | SV-219561r603343_rule | Medium |
| Description |
|---|
| Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. |
| STIG | Date |
|---|---|
| Oracle Linux 6 Security Technical Implementation Guide | 2020-12-04 |
Details
| Check Text ( C-21286r603341_chk ) |
|---|
| Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep -i Ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding. |
| Fix Text (F-21285r603342_fix) |
|---|
| Limit the ciphers to those algorithms which are FIPS-approved. The following line in "/etc/ssh/sshd_config" demonstrates use of FIPS-approved ciphers: Ciphers 256-ctr,aes192-ctr,aes128-ctr Note: The man page "sshd_config(5)" contains a list of supported ciphers. |