Use Only FIPS 140-2 Validated Key Exchange Algorithms

An XCCDF Rule

Description

Limit the key exchange algorithms to those which are FIPS-approved. Add or modify the following line in /etc/ssh/sshd_config

KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

This rule ensures that only the key exchange algorithms mentioned above (or their subset) are configured for use, keeping the given order of algorithms.

warning alert: Warning

The system needs to be rebooted for these changes to take effect.

warning alert: Regulatory Warning

System crypto modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this requirements, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Rationale

DoD information systems are required to use FIPS-approved key exchange algorithms. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

ID: xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
Severity: Medium
References: CCI-001453

AC-17(2)

SRG-OS-000250-GPOS-00093

SLES-15-040450

CCE-92505-7

SV-255920r880961_rule
Updated: about 1 year ago

- name: Configure sshd to use FIPS 140-2 approved key exchange algorithms
  lineinfile:
    path: /etc/ssh/sshd_config
    line: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
    state: present
    regexp: ^\s*KexAlgorithms\s*    create: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92505-7
  - DISA-STIG-SLES-15-040450
  - NIST-800-53-AC-17(2)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_use_approved_kex_ordered_stig

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,\
diffie-hellman-group-exchange-sha256"
if grep -q -P '^\s*KexAlgorithms\s+' /etc/ssh/sshd_config; then
  sed -i "s/^\s*KexAlgorithms.*/KexAlgorithms ${KEX_ALGOS}/" /etc/ssh/sshd_config
else
  echo "KexAlgorithms ${KEX_ALGOS}" >> /etc/ssh/sshd_config
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Use Only FIPS 140-2 Validated Key Exchange Algorithms

Description

Rationale

Remediation - Ansible

Remediation - Shell Script