Detections
Analytics
AZLX-23-001275 - Amazon Linux 2023 must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
Information
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
Solution
Configure Amazon Linux 2023 SSH server to use only ciphers employing FIPS 140-2/140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line:Ciphers [email protected],aes256-ctr,[email protected],aes128-ctr
A reboot is required for the changes to take effect.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Amazon_Linux_2023_V1R2_STIG.zip
Item Details
Audit Name: DISA Amazon Linux 2023 STIG v1r2
Category: ACCESS CONTROL
References: 800-53|AC-17(2), CAT|I, CCI|CCI-000068, Rule-ID|SV-274056r1120156_rule, STIG-ID|AZLX-23-001275, Vuln-ID|V-274056
Plugin: Unix
Control ID: 23be228b548f1e850edac3b857a0cedb51753f4ae2edbd5905472865892f3e44