{"description": "Crypto Policies provide a centralized control over crypto algorithms usage of many packages.\nSSH is supported by crypto policy, but the SSH configuration may be\nset up to ignore it.\nTo check that Crypto Policies settings are configured correctly, ensure that\nthe <tt>CRYPTO_POLICY</tt> variable is either commented or not set at all\nin the <tt>/etc/sysconfig/sshd</tt>.", "rationale": "Overriding the system crypto policy makes the behavior of the SSH service violate expectations,\nand makes system configuration more fragmented.", "severity": "medium", "references": {"hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1", "CIP-007-3 R7.1"], "nist": ["AC-17(a)", "AC-17(2)", "CM-6(a)", "MA-4(6)", "SC-13"], "ospp": ["FCS_SSH_EXT.1", "FCS_SSHS_EXT.1", "FCS_SSHC_EXT.1"], "pcidss": ["Req-2.2"], "srg": ["SRG-OS-000250-GPOS-00093"], "ism": ["0418"], "pcidss4": ["2.2.7", "2.2"]}, "control_references": {"ism": ["0418"], "pcidss4": ["2.2.7", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd", "ocil": "Verify that sshd isn't configured to ignore the system wide cryptographic policy.\n\nCheck that the <tt>CRYPTO_POLICY</tt> variable is not set or is commented out in the\n<tt>/etc/sysconfig/sshd</tt>.\n\nRun the following command:\n\n$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd", "oval_external_content": null, "fixtext": "Configure OpenSSH to not ignore the system wide cryptographic policy.\nRun the following command:\n\n$ sudo sed -i \"/^\\s*CRYPTO_POLICY.*$/Id\" /etc/sysconfig/sshd", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement approved encryption in the OpenSSH package.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure SSH to use System Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml", "template": null}