The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

An XCCDF Rule

Description

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module and it is enabled by default. For backward compatibility reasons, this can be disabled so this setting must be audited and corrected if necessary.

ID: SV-258732r958408_rule
Version: ESXI-80-000014
Severity: High
References: CCI-000068
Updated: about 2 months ago

Remediation Templates

From an ESXi shell, run the following command:

# esxcli system security fips140 ssh set -e true

or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.ssh.set.Invoke($arguments)

The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

Description

Remediation Templates

A Manual Procedure