ESXI-80-000014 The ESXi host Secure Shell (SSH) daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

Information

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.

OpenSSH on the ESXi host ships with a FIPS 140-2 validated cryptographic module and it is enabled by default. For backward compatibility reasons, this can be disabled so this setting must be audited and corrected if necessary.

Solution

From an ESXi shell, run the following command:

# esxcli system security fips140 ssh set -e true

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.ssh.set.Invoke($arguments)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|I, CCI|CCI-000068, Rule-ID|SV-258732r958408_rule, STIG-ID|ESXI-80-000014, Vuln-ID|V-258732

Plugin: Unix

Control ID: 9348ac43b4fe6a8bc3f0143c3b7a408da96f37ac35251231f4c514bf72d4b88a