ESXI-06-100010 – The SSH daemon must be configured to only use FIPS 140-2 approved ciphers.

Details

Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.

Note: That this does not imply FIPS 140-2 certification.

Solution

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

Add or correct the following line in ‘/etc/ssh/sshd_config’:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

Supportive Information

The following resource is also helpful.

http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

800-53|SC-13
CAT|II
CCI|CCI-002450
Group-ID|V-63501
Rule-ID|SV-77991r2_rule
STIG-ID|ESXI-06-100010
Vuln-ID|V-63501

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles