Back

Configure the Secure Shell setting to organizational standards.


CONTROL ID
08790
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Configure Red Hat Enterprise Linux to Organizational Standards., CC ID: 08713

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Ensure only strong MAC algorithms are used Description: This variable Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. **Note:** Some organizations may hav… (5.3.17, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure SSH PAM is enabled Description: UsePAM Enables the Pluggable Authentication Module interface. If set to \u201cyes\u201d this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authent… (5.3.22, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure only strong Ciphers are used Description: This variable limits the ciphers that SSH can use during communication. **Note:** Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy. Rationale: Weak ciphers that are use… (5.3.15, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure only strong Key Exchange algorithms are used Description: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped … (5.3.18, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
  • Ensure only strong Key Exchange algorithms are used Description: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped … (5.3.18, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure only strong Ciphers are used Description: This variable limits the ciphers that SSH can use during communication. **Note:** Some organizations may have stricter requirements for approved ciphers. Ensure that ciphers used are in compliance with site policy. Rationale: Weak ciphers that are use… (5.3.15, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure only strong MAC algorithms are used Description: This variable Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. **Note:** Some organizations may hav… (5.3.17, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Ensure SSH PAM is enabled Description: UsePAM Enables the Pluggable Authentication Module interface. If set to \u201cyes\u201d this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authent… (5.3.22, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
  • Title: Use Only Approved Cipher in Counter Mode Description: This variable limits the types of ciphers that SSH can use during communication. Rationale: Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described i… (Rule: xccdf_org.cisecurity.benchmarks_rule_6.2.11_Use_Only_Approved_Cipher_in_Counter_Mode Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_6.2.11.1_sshd.ciphers, The Center for Internet Security CentOS 6 Level 1 Benchmark, 1.0.0)
  • Title: Use Only Approved Cipher in Counter Mode Description: This variable limits the types of ciphers that SSH can use during communication. Rationale: Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described… (Rule:xccdf_org.cisecurity.benchmarks_rule_6.2.11_Use_Only_Approved_Cipher_in_Counter_Mode Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_6.2.11.1_sshd.ciphers, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
  • Title: Use Only Approved Cipher in Counter Mode Description: This variable limits the types of ciphers that SSH can use during communication. Rationale: Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described… (Rule:xccdf_org.cisecurity.benchmarks_rule_6.2.11_Use_Only_Approved_Cipher_in_Counter_Mode Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_6.2.11.1_sshd.ciphers, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
  • Title: Use Only Approved Cipher in Counter Mode Description: This variable limits the types of ciphers that SSH can use during communication. Rationale: Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as des… (Rule: xccdf_org.cisecurity.benchmarks_rule_9.3.11_Use_Only_Approved_Cipher_in_Counter_Mode Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_9.3.11.1_sshd.ciphers, The Center for Internet Security Ubuntu 12.04 LTS Level 1 Benchmark, v1.0.0)
  • Title: Use Only Approved Cipher in Counter Mode Description: This variable limits the types of ciphers that SSH can use during communication. Rationale: Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as des… (Rule: xccdf_org.cisecurity.benchmarks_rule_9.3.11_Use_Only_Approved_Cipher_in_Counter_Mode Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_9.3.11.1_sshd.ciphers, The Center for Internet Security Ubuntu 12.04 LTS Level 2 Benchmark, v1.0.0)
  • Ensure SSH PAM is enabled Description: UsePAM Enables the Pluggable Authentication Module interface. If set to \u201cyes\u201d this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authent… (5.2.16, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure SSH PAM is enabled Description: UsePAM Enables the Pluggable Authentication Module interface. If set to \u201cyes\u201d this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authent… (5.2.16, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Appropriate ciphers should be used for SSH. Technical Mechanisms: via /etc/ssh/sshd_config Parameters: approved ciphers References: Section: 3.5.2.10 - Use Only Approved Ciphers (CCE-14491-5, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 5, 5.20130214)