The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216410	SOL-11.1-060130	SV-216410r603866_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Note: SSH in Solaris 11.GA-11.3 used Sun Microsystem’s proprietary SUNWssh. In Solaris 11.3 OpenSSH was offered as optional software and in Solaris 11.4 OpenSSH is the only SSH offered. Both use the same /etc/ssh/sshd_config file and both, by default do not include the ciphers line.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Note: SSH in Solaris 11.GA-11.3 used Sun Microsystem’s proprietary SUNWssh. In Solaris 11.3 OpenSSH was offered as optional software and in Solaris 11.4 OpenSSH is the only SSH offered. Both use the same /etc/ssh/sshd_config file and both, by default do not include the ciphers line.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2020-12-08

Details

Check Text ( C-17646r603864_chk )
Check the SSH daemon configuration for allowed ciphers. # grep -i ciphers /etc/ssh/sshd_config \| grep -v '^#’ Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.

Fix Text (F-17644r603865_fix)
The root role is required. Modify the sshd_config file. # pfedit /etc/ssh/sshd_config Change or set the ciphers line to the following: ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH service. # svcadm restart svc:/network/ssh