Use Only FIPS 140-2 Validated Ciphers
An XCCDF Rule
Description
Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved ciphers:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcThe man page
sshd_config(5)
contains a list of supported ciphers.
The rule is parametrized to use the following ciphers:
.
warning alert: Warning
warning alert: Regulatory Warning
Rationale
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on Ubuntu 20.04.
- ID
- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: XCCDF Value sshd_approved_ciphers # promote to variable
set_fact:
sshd_approved_ciphers: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" use="legacy"/>
tags:
- always
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
sshd_approved_ciphers='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" use="legacy"/>'