4.2.22 Ensure sshd crypto_policy is not set

Information

System-wide Crypto policy can be over-ridden or opted out of for openSSH

Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm

Note: If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. For additional information see the CRYPTO-POLICIES(7) man page

Solution

Run the following commands:

# sed -ri "s/^s*(CRYPTO_POLICYs*=.*)$/# 1/" /etc/sysconfig/sshd

# systemctl reload sshd

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 28f9af1c7602ca901093ea3bc9db745d6d1021f4c1e22300f22e06ace65ac9a8