Detections
Analytics
SRG-OS-000250-ESXI5 - SSH daemon must be configured to only use Message Authentication Codes (MACs) with FIPS 140-2 approved crypto
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.Solution
Disable lock down mode. Enable the ESXi Shell. Execute the following command(s):# vi /etc/ssh/sshd_config
Add/modify the attribute line entry to the following (quotes for emphasis only):
'MACs <hmac-sha1 or hmac-sha2 variant(s)>'
The above list 'may' include any number of the following (current) comma-separated variants: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96.
Re-enable lock down mode.
See Also
http://iase.disa.mil/stigs/os/virtualization/Pages/index.aspx
Item Details
Audit Name: DISA STIG VMWare ESXi Server 5 STIG v1r9
References: CAT|I, CCI|CCI-001453, Group-ID|V-39415, Rule-ID|SV-51273r2_rule, STIG-ID|SRG-OS-000250-ESXI5
Plugin: VMware
Control ID: a784134913e9d69a94e80029669835847852f3cc5b71fe1ade9d0cdd7ca05dbf