Detections
Analytics

5.1.1 Ensure sshd crypto_policy is not set

Information

System-wide Crypto policy can be over-ridden or opted out of for openSSH

Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm

Note: If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. For additional information see the CRYPTO-POLICIES(7) man page

Solution

Run the following commands:

# sed -ri '/^\s*CRYPTO_POLICY\s*=/Is/^/# /' /etc/sysconfig/sshd

# systemctl reload sshd

See Also

https://workbench.cisecurity.org/benchmarks/23598

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17, 800-53|AC-17(2), CSCv7|14.4

Plugin: Unix

Control ID: beb07c0a9e8d4ed7b8b4766ea0b2e177754cdf124125f7c1060c351e36ab85b6