SSHD Must Include System Crypto Policy Config File

An XCCDF Rule

Description

SSHD should follow the system cryptographic policy. In order to accomplish this the SSHD configuration should include the system

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

ID: xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
Severity: Medium
References: CCI-001453

AC-17 (2)

SRG-OS-000250-GPOS-00093

RHEL-09-255055

SV-257987r1014852_rule

CCE-90566-1
Updated: about 2 months ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90566-1
  - DISA-STIG-RHEL-09-255055  - NIST-800-53-AC-17 (2)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sshd_include_crypto_policy
- name: SSHD Must Include System Crypto Policy Config File - Ensure That Drop In SSH
    Config Files are Included
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    line: Include /etc/ssh/sshd_config.d/*.conf
    regexp: ^Include /etc/ssh/sshd_config.d/\*.conf
    state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-90566-1
  - DISA-STIG-RHEL-09-255055
  - NIST-800-53-AC-17 (2)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sshd_include_crypto_policy

- name: SSHD Must Include System Crypto Policy Config File - Ensure That System Crypto
    Policies are Included
  ansible.builtin.lineinfile:
    path: /etc/ssh/ssh_config.d/50-redhat.conf
    regexp: Include /etc/crypto-policies/back-ends/opensshserver.config
    line: Include /etc/crypto-policies/back-ends/opensshserver.config
    state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-90566-1
  - DISA-STIG-RHEL-09-255055
  - NIST-800-53-AC-17 (2)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sshd_include_crypto_policy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/ssh_config.d/50-redhat.conf

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

SSHD Must Include System Crypto Policy Config File

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script