1.6.3 Ensure system wide crypto policy is not set in sshd configuration

Information

System-wide Crypto policy can be over-ridden or opted out of for openSSH

Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgorithms and GSSAPIKexAlgorithm

Note: If changes to the system-wide crypto policy are required to meet local site policy for the openSSH server, these changes should be done with a sub-policy assigned to the system-wide crypto policy. For additional information see the CRYPTO-POLICIES(7) man page

Solution

Run the following commands:

# sed -ri "/^\s*(CRYPTO_POLICY\s*=)/Is/^/# /" /etc/sysconfig/ssh

# systemctl reload sshd

Item Details

Audit Name: CIS SUSE Linux Enterprise 16 v1.0.0 L1 Workstation

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17, 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: e7b4fe1a99ff51ab5a3d92c1956b659172cf4c77861dafe8b8d831f1da574c0e

Detections

Analytics

1.6.3 Ensure system wide crypto policy is not set in sshd configuration

Information

Solution

See Also

Item Details