{"description": "Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.\nThe SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.\nThis can be done by dropping a file named <tt>opensshserver-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.\nChanges are propagated into <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt>. This rule checks if this file contains predefined <tt>CRYPTO_POLICY</tt> environment variable configured with predefined value.", "rationale": "The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1", "CIP-007-3 R7.1"], "nist": ["AC-17(a)", "AC-17(2)", "CM-6(a)", "MA-4(6)", "SC-13", "SC-12(2)", "SC-12(3)"], "srg": ["SRG-OS-000250-GPOS-00093", "SRG-OS-000033-GPOS-00014", "SRG-OS-000120-GPOS-00061"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "Crypto Policy for OpenSSH Server is not configured according to CC requirements", "ocil": "To verify if the OpenSSH server uses defined Crypto Policy, run:\n<pre>$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1</pre>\nand verify that the line matches\n<pre>CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[openssh]", "platforms": ["package[openssh]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_openssh"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Harden SSHD Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/rule.yml", "template": null}