STIGQter STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.

DISA Rule

SV-238216r654316_rule

Vulnerability Number

V-238216

Group Title

SRG-OS-000424-GPOS-00188

Rule Version

UBTU-20-010043

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers.

Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):

MACs hmac-sha2-512,hmac-sha2-256

Restart the SSH daemon for the changes to take effect:

$ sudo systemctl reload sshd.service

Check Contents

Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command:

$ grep -i macs /etc/ssh/sshd_config

MACs hmac-sha2-512,hmac-sha2-256

If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, or the returned line is commented out, this is a finding.

Vulnerability Number

V-238216

Documentable

False

Rule Version

UBTU-20-010043

Severity Override Guidance

Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command:

$ grep -i macs /etc/ssh/sshd_config

MACs hmac-sha2-512,hmac-sha2-256

If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, or the returned line is commented out, this is a finding.

Check Content Reference

M

Target Key

5318

Comments