{"description": "Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.\nTo override the system wide crypto policy for Openssh client, place a file in the <tt>/etc/ssh/ssh_config.d/</tt> so that it is loaded before the <tt>05-redhat.conf</tt>. In this case it is file named <tt>02-ospp.conf</tt> containing parameters which need to be changed with respect to the crypto policy.\nThis rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.\nDuring the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.", "rationale": "The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1", "CIP-007-3 R7.1"], "nist": ["AC-17(a)", "AC-17(2)", "CM-6(a)", "MA-4(6)", "SC-13"], "srg": ["SRG-OS-000033-GPOS-00014", "SRG-OS-000250-GPOS-00093", "SRG-OS-000393-GPOS-00173", "SRG-OS-000394-GPOS-00174"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "Crypto Policy for OpenSSH Client is not configured according to CC requirements", "ocil": "To verify if the OpenSSH Client uses defined Crypto Policy, run:\n<pre>$ cat /etc/ssh/ssh_config.d/02-ospp.conf</pre>\nand verify that the line matches\n<pre>Match final all</pre>\n<pre>RekeyLimit 512M 1h</pre>\n<pre>GSSAPIAuthentication no</pre>\n<pre>Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc</pre>\n<pre>PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256</pre>\n<pre>MACs hmac-sha2-512,hmac-sha2-256</pre>\n<pre>KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Harden SSH client Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml", "template": null}