{"description": "Limit the ciphers to those algorithms which are FIPS-approved.\nThe following line in <tt>/etc/ssh/sshd_config</tt>\ndemonstrates use of FIPS-approved ciphers:\n<pre>Ciphers aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com</pre>\nIf this line does not contain these ciphers in exact order,\nis commented out, or is missing, this is a finding.", "rationale": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore\ncannot be relied upon to provide confidentiality or integrity, and system data may be compromised.\n<br />\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to\ncryptographic modules.\n<br />\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules\nutilize authentication that meets industry and government requirements. For government systems, this allows\nSecurity Levels 1, 2, 3, or 4 for use on Ubuntu 22.04.", "severity": "medium", "references": {"srg": ["SRG-OS-000033-GPOS-00014", "SRG-OS-000120-GPOS-00061", "SRG-OS-000125-GPOS-00065", "SRG-OS-000250-GPOS-00093", "SRG-OS-000393-GPOS-00173", "SRG-OS-000394-GPOS-00174"], "stigid": ["UBTU-22-255050"], "stigref": ["SV-260531r958408_rule"]}, "control_references": {"stigid": ["UBTU-22-255050"]}, "components": [], "identifiers": {}, "ocil_clause": "FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved", "ocil": "Only FIPS ciphers should be used. To verify that only FIPS-approved\nciphers are in use, run the following command:\n<pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>\nThe output should contain only following ciphers (or a subset) in the exact order:\n<pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "The system needs to be rebooted for these changes to take effect."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Use Only FIPS 140-2 Validated Ciphers", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml", "template": null}