DISA: wrong ciphers in sshd_use_approved_macs

ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.

Apache License 2.0

2 stars 0 forks source link

DISA: wrong ciphers in sshd_use_approved_macs #12

Closed shawndwells closed 4 years ago

shawndwells commented 7 years ago

DISA:

current ciphers are wrong:
^[\s]*(?i)MACs(?-i)[\s]+((hmac-sha1|hmac-sha2-256|hmac-sha2-512|hmac-sha1-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|hmac-sha2-512-etm@openssh\.com),?)+[\s]*(?:|(?:#.*))?$

shawndwells commented 7 years ago

They're not. @tbrunell please refer them to FIPS paperwork.

ajd394 commented 6 years ago

It seems that SHA1 is approved for HMAC NIST 800-131a

However from the current STIG benchmark appears to only permit the following

for all value, at least one of the following must be true:
value must be equal to 'hmac-sha2-512'
value must be equal to 'hmac-sha2-256'

jflemer-ndp commented 6 years ago

Workaround

This is tailorable via xccdf_org.ssgproject.content_value_sshd_approved_macs.