Detections
Analytics
ESXI-80-000187 - The ESXi host Secure Shell (SSH) daemon must be configured to only use FIPS 140-2 validated ciphers.
Information
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. ESXi must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.Solution
From an ESXi shell, run the following command:# esxcli system ssh server config set -k ciphers -v [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'ciphers'
$arguments.value = '[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr'
$esxcli.system.ssh.server.config.set.Invoke($arguments)
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y25M07_STIG.zip
Item Details
Audit Name: DISA VMware vSphere 8.0 ESXi STIG v2r3 Unix
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-13, CAT|II, CCI|CCI-002450, Rule-ID|SV-258750r959006_rule, STIG-ID|ESXI-80-000187, Vuln-ID|V-258750
Plugin: Unix
Control ID: 49974a36ce8890aacb56344287ea7a1a52abb1321edfc70c1754a2955cc6e714