IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223589	ACF2-SH-000050	SV-223589r1083012_rule		High

Description

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061

STIG	Date
IBM z/OS ACF2 Security Technical Implementation Guide	2025-03-11

Details

Check Text (C-25262r1083011_chk)

Locate the SSH daemon configuration file, which may be found in "/etc/ssh/" directory.

Alternately:

From Unix System Services ISPF Shell, navigate to ribbon select tools.

Select option 1 - Work with Processes.

If SSH Daemon is not active, this is not a finding.

Examine SSH daemon configuration file.
sshd_config

If there are no ciphers lines, or the ciphers list contains any cipher not starting with "aes", this is a finding.

If the MACs line is not configured to "hmac-sha1" or greater, this is a finding.

Examine the z/OS-specific sshd server systemwide configuration.
zos_sshd_config

If any of the following is untrue, this is a finding.

FIPSMODE=YES
CiphersSource=ICSF
MACsSource=ICSF

Fix Text (F-25250r1082840_fix)

Edit the SSH daemon configuration and remove any ciphers not starting with "aes". If necessary, add a "Ciphers" line using FIPS 140-2 compliant algorithms.

Configure for message authentication to MACs "hmac-sha1" or greater.

Edit the z/OS-specific sshd server system-wide configuration file configuration as follows:
FIPSMODE=YES
CiphersSource=ICSF
MACsSource=ICSF

STIG VIEWER