The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.

From VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

Part of SRG-OS-000033-GPOS-00014

Associated with: CCI-000068

SV-99025r1_rule The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.

Vulnerability discussion

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.

Check content

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the ssh_config file. # grep -i Ciphers /etc/ssh/ssh_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix text

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/ssh_config Save and close the file.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer