|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
|
|
b5e178 |
index abcebf60c7..50c7d689af 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
|
|
b5e178 |
@@ -61,7 +61,6 @@ references:
|
|
|
b5e178 |
nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
|
|
b5e178 |
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
|
|
|
b5e178 |
- stigid@rhel7: RHEL-07-040110
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..4796a2eab1
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
|
|
|
b5e178 |
@@ -0,0 +1,13 @@
|
|
|
b5e178 |
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
b5e178 |
+# reboot = false
|
|
|
b5e178 |
+# strategy = restrict
|
|
|
b5e178 |
+# complexity = low
|
|
|
b5e178 |
+# disruption = low
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+- name: "Configure sshd to use approved ciphers"
|
|
|
b5e178 |
+ lineinfile:
|
|
|
b5e178 |
+ path: /etc/ssh/sshd_config
|
|
|
b5e178 |
+ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
|
|
|
b5e178 |
+ state: present
|
|
|
b5e178 |
+ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
|
|
b5e178 |
+ create: True
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..8f751ed516
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..53ff0a2a9e
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
@@ -0,0 +1,38 @@
|
|
|
b5e178 |
+<def-group>
|
|
|
b5e178 |
+ <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
|
|
|
b5e178 |
+ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
|
|
|
b5e178 |
+ <criteria operator="AND">
|
|
|
b5e178 |
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ operator="OR">
|
|
|
b5e178 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ <criteria comment="sshd is installed and configured" operator="AND">
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="sshd_required_or_unset" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ </definition>
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
|
|
|
b5e178 |
+ id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
|
|
|
b5e178 |
+ <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
|
|
|
b5e178 |
+ </ind:textfilecontent54_test>
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
|
|
|
b5e178 |
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
|
|
|
b5e178 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
b5e178 |
+ </ind:textfilecontent54_object>
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+</def-group>
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..0751064179
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
|
|
|
b5e178 |
@@ -0,0 +1,64 @@
|
|
|
b5e178 |
+documentation_complete: true
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+prodtype: rhel7
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+title: 'Use Only FIPS 140-2 Validated Ciphers'
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+description: |-
|
|
|
b5e178 |
+ Limit the ciphers to those algorithms which are FIPS-approved.
|
|
|
b5e178 |
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
|
|
b5e178 |
+ demonstrates use of FIPS-approved ciphers:
|
|
|
b5e178 |
+ Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
b5e178 |
+ This rule ensures that there are configured ciphers mentioned
|
|
|
b5e178 |
+ above (or their subset), keeping the given order of algorithms.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+rationale: |-
|
|
|
b5e178 |
+ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
|
|
|
b5e178 |
+ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
|
|
|
b5e178 |
+ cryptographic modules.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
|
|
|
b5e178 |
+ utilize authentication that meets industry and government requirements. For government systems, this allows
|
|
|
b5e178 |
+ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+severity: medium
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+identifiers:
|
|
|
b5e178 |
+ cce@rhel7: CCE-83398-8
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+references:
|
|
|
b5e178 |
+ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
|
|
|
b5e178 |
+ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
|
|
b5e178 |
+ stigid@rhel7: RHEL-07-040110
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ocil: |-
|
|
|
b5e178 |
+ Only FIPS ciphers should be used. To verify that only FIPS-approved
|
|
|
b5e178 |
+ ciphers are in use, run the following command:
|
|
|
b5e178 |
+ $ sudo grep Ciphers /etc/ssh/sshd_config
|
|
|
b5e178 |
+ The output should contain only following ciphers (or a subset) in the exact order:
|
|
|
b5e178 |
+ aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+warnings:
|
|
|
b5e178 |
+ - general: |-
|
|
|
b5e178 |
+ The system needs to be rebooted for these changes to take effect.
|
|
|
b5e178 |
+ - regulatory: |-
|
|
|
b5e178 |
+ System Crypto Modules must be provided by a vendor that undergoes
|
|
|
b5e178 |
+ FIPS-140 certifications.
|
|
|
b5e178 |
+ FIPS-140 is applicable to all Federal agencies that use
|
|
|
b5e178 |
+ cryptographic-based security systems to protect sensitive information
|
|
|
b5e178 |
+ in computer and telecommunication systems (including voice systems) as
|
|
|
b5e178 |
+ defined in Section 5131 of the Information Technology Management Reform
|
|
|
b5e178 |
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
|
|
b5e178 |
+ designing and implementing cryptographic modules that Federal
|
|
|
b5e178 |
+ departments and agencies operate or are operated for them under
|
|
|
b5e178 |
+ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
|
|
|
b5e178 |
+ To meet this, the system has to have cryptographic software provided by
|
|
|
b5e178 |
+ a vendor that has undergone this certification. This means providing
|
|
|
b5e178 |
+ documentation, test results, design information, and independent third
|
|
|
b5e178 |
+ party review by an accredited lab. While open source software is
|
|
|
b5e178 |
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
|
b5e178 |
+ submits to this process.
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..daff7d7c53
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..b9d22262af
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..b99d3832cd
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..6dfd54631c
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..7b38914a1a
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,3 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..6fdb47093d
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo 'Ciphers ' >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..24fdf0f30d
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
b5e178 |
index 6c06a8ede6..adf86894e1 100644
|
|
|
b5e178 |
--- a/rhel7/profiles/stig.profile
|
|
|
b5e178 |
+++ b/rhel7/profiles/stig.profile
|
|
|
b5e178 |
@@ -239,8 +239,7 @@ selections:
|
|
|
b5e178 |
- install_antivirus
|
|
|
b5e178 |
- accounts_max_concurrent_login_sessions
|
|
|
b5e178 |
- configure_firewalld_ports
|
|
|
b5e178 |
- - sshd_approved_ciphers=stig
|
|
|
b5e178 |
- - sshd_use_approved_ciphers
|
|
|
b5e178 |
+ - sshd_use_approved_ciphers_ordered_stig
|
|
|
b5e178 |
- accounts_tmout
|
|
|
b5e178 |
- sshd_enable_warning_banner
|
|
|
b5e178 |
- sssd_ldap_start_tls
|