Use Only Strong MACs
An XCCDF Rule
Description
Limit the MACs to strong hash algorithms.
The following line in /etc/ssh/sshd_config
demonstrates use
of those MACs:
MACs
Rationale
MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information
- ID
- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
sshd_strong_macs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_strong_macs" use="legacy"/>'
Remediation - Ansible
- name: XCCDF Value sshd_strong_macs # promote to variable
set_fact:
sshd_strong_macs: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_strong_macs" use="legacy"/>
tags:
- always