Use Only FIPS 140-2 Validated Ciphers
An XCCDF Rule
Description
Limit the ciphers to those algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes256-ctr,aes192-ctr,aes128-ctrThis rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.
warning alert: Warning
warning alert: Regulatory Warning
Rationale
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on Oracle Linux 7.
- ID
- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Configure sshd to use approved ciphers
lineinfile:
path: /etc/ssh/sshd_config
line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr
state: present
regexp: ^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
else