Use Only FIPS 140-2 Validated Ciphers

An XCCDF Rule

Description

Limit the ciphers to those algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

This rule ensures that there are configured ciphers mentioned above (or their subset), keeping the given order of algorithms.

warning alert: Warning

The system needs to be rebooted for these changes to take effect.

warning alert: Regulatory Warning

System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Rationale

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Ubuntu 22.04.

ID: xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig
Severity: Medium
References: CCI-000068 CCI-000366 CCI-000803 CCI-000877 CCI-002890 CCI-003123

SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
  sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
else  echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Configure sshd to use approved ciphers
  lineinfile:
    path: /etc/ssh/sshd_config
    line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr
    state: present
    regexp: ^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$    create: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_use_approved_ciphers_ordered_stig

Use Only FIPS 140-2 Validated Ciphers

Description

Rationale

Remediation - Shell Script

Remediation - Ansible