UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216173 SOL-11.1-060130 SV-216173r958408_rule Medium
Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Using cryptography ensures confidentiality of the remote access connections. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. Note: SSH in Solaris 11.GA-11.3 used Sun Microsystem’s proprietary SUNWssh. In Solaris 11.3 OpenSSH was offered as optional software and in Solaris 11.4 OpenSSH is the only SSH offered. Both use the same /etc/ssh/sshd_config file and both, by default do not include the ciphers line.
STIG Date
Solaris 11 X86 Security Technical Implementation Guide 2024-05-30

Details

Check Text ( C-17411r622341_chk )
Check the SSH daemon configuration for allowed ciphers.

# grep -i ciphers /etc/ssh/sshd_config | grep -v '^#’
Ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or is commented out, this is a finding.
Fix Text (F-17409r622342_fix)
The root role is required.

Modify the sshd_config file.

# pfedit /etc/ssh/sshd_config

Change or set the ciphers line to the following:

ciphers aes256-ctr,aes192-ctr,aes128-ctr

Restart the SSH service.

# svcadm restart svc:/network/ssh