OL08-00-010291 - The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.

Information

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised.

Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.

The system will attempt to use the first hash presented by the client that matches the server list. Listing the values 'strongest to weakest' is a method to ensure the use of the strongest cipher available to secure the SSH connection.

Solution

Configure the OL 8 SSH server to use only ciphers employing FIPS 140-2 approved algorithms:

Update the '/etc/crypto-policies/back-ends/opensshserver.config' file to include these ciphers employing FIPS 140-2-approved algorithms:

CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,[email protected],[email protected]'

A reboot is required for the changes to take effect.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V2R2_STIG.zip

Item Details

Category: MAINTENANCE

References: 800-53|MA-4c., CAT|II, CCI|CCI-000877, Rule-ID|SV-248562r958510_rule, STIG-ID|OL08-00-010291, Vuln-ID|V-248562

Plugin: Unix

Control ID: 0c3a70155afd2220889c98182ab77a85d98393c6cf32a4bd9f7d9e3b6abd1b43