{"description": "Create a custom crypto policy module to enforce the use of strong ciphers and MACs in SSHD, disable CBC mode ciphers in SSHD and disable the use of weak MACs globally.\n\n\nAdd the following line to the file <tt>/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod</tt>:\n<pre>\ncipher@SSH = -*-CBC\n</pre>\n\nThen, set the system wide crypto policy to use the custom policy.\n<pre>\n$ sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC\n</pre>", "rationale": "CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack.\nDisabling CBC mode ciphers helps protect against these attacks and ensures that only\nstrong, proven cryptographic algorithms are used to protect SSH communications.\nWeak ciphers that are used for authentication to the cryptographic module cannot be\nrelied upon to provide confidentiality or integrity, and system data may be compromised.\nMessage Authentication Codes (MACs) are cryptographic mechanisms used to verify the\nintegrity and authenticity of data transmitted over SSH connections. Weak MACs that\nare used for authentication to the cryptographic module cannot be relied upon to\nprovide integrity, and system data may be compromised. Implementing a custom crypto\npolicy that disables weak MAC algorithms helps ensure that only strong, proven\ncryptographic algorithms are used to protect SSH communications.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the custom crypto policy modules do not exist", "ocil": "\n\nVerify that <tt>/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod</tt> exists and has the following content:\n<pre>\ncipher@SSH = -*-CBC\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Implement Custom Crypto Policy Modules for CIS Benchmark", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml", "template": {"name": "crypto_sub_policies", "vars": {"base_policy": "DEFAULT:NO-SHA1", "sub_policies": [{"module_name": "NO-SSHCBC", "key": "cipher@SSH", "value": "-*-CBC"}]}, "backends": {}}}