SV-233691r610285_rule
V-233691
SRG-OS-000033-GPOS-00014
AOSX-14-000055
CAT II
10
Configure SSH to use secure Keyed-Hash Message Authentication Codes.
To ensure that "MACs" set correctly, run the following command:
/usr/bin/sudo /usr/bin/grep -q '^MACs' /etc/ssh/sshd_config && /usr/bin/sudo /usr/bin/sed -i.bak 's/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/' /etc/ssh/sshd_config || /usr/bin/sudo /usr/bin/sed -i.bak '/.*Ciphers and keying.*/a\'$'\n''MACs hmac-sha2-512,hmac-sha2-256'$'\n' /etc/ssh/sshd_config
The SSH service must be restarted for changes to take effect.
If SSH is not being used, this is Not Applicable.
Inspect the "MACs" configuration with the following command:
Note: The location of the "sshd_config" file may vary if a different daemon is in use.
/usr/bin/grep "^Macs" /etc/ssh/sshd_config
MACs hmac-sha2-512,hmac-sha2-256
If any hashes other than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the example above, or the "MACs" keyword is missing, this is a finding.
V-233691
False
AOSX-14-000055
If SSH is not being used, this is Not Applicable.
Inspect the "MACs" configuration with the following command:
Note: The location of the "sshd_config" file may vary if a different daemon is in use.
/usr/bin/grep "^Macs" /etc/ssh/sshd_config
MACs hmac-sha2-512,hmac-sha2-256
If any hashes other than "hmac-sha2-512" and/or "hmac-sha2-256" are listed, the order differs from the example above, or the "MACs" keyword is missing, this is a finding.
M
2930