Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-69231 | ZSSH0020 | SV-83853r1_rule | High |
Description |
---|
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
STIG | Date |
---|---|
z/OS RACF STIG | 2017-03-22 |
Check Text ( C-70037r1_chk ) |
---|
Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine SSH daemon configuration file. sshd_config If there are no Ciphers lines or the ciphers list contains any cipher not starting with "3des" or "aes", this is a finding. If the MACs line is not configured to "hmac-sha1" or greater this is a finding. Examine the z/OS-specific sshd server system-wide configuration zos_sshd_config If any of the following is untrue this is a finding. FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF |
Fix Text (F-75861r1_fix) |
---|
Edit the SSH daemon configuration and remove any ciphers not starting with "3des" or "aes". If necessary, add a "Ciphers" line using FIPS 140-2 compliant algorithms. Configure for message authentication to MACs "hmac-sha1" or greater. Edit the z/OS-specific sshd server system-wide configuration file configuration as follows: FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF |