Harden SSH client Crypto Policy

An XCCDF Rule

Description

Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client. To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy. This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy. During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.

Rationale

The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.

ID: xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy
Severity: Medium
References: CIP-003-8 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1

AC-17(2) AC-17(a) CM-6(a) MA-4(6) SC-13

FCS_SSHC_EXT.1

SRG-OS-000033-GPOS-00014 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174

CCE-82543-0
Updated: about 1 year ago