Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / openssh / 4263d6da09f9f356c05b0f7dd426f5d83bf9326b / . / metadata / service / server / cis / cis-5-2-11.yml
blob: 4f77a14d1192f53d408dcd3cbbce6a941740042f [file] [log] [blame]
Dmitry Teselkine9420e72018-04-03 13:49:39 +0300[diff] [blame]1# 5.2.11 Ensure only approved MAC algorithms are used (Scored)
2#
3# Profile Applicability
4# ---------------------
5# - Level 1 - Server
6# - Level 1 - Workstation
7#
8# Description
9# -----------
10# This variable limits the types of MAC algorithms that SSH can use during communication.
11#
12# Rationale
13# ---------
14# MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
15# exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of
16# attention as a weak spot that can be exploited with expanded computing power. An
17# attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the
18# SSH tunnel and capture credentials and information
19#
20# Audit
21# -----
22# Run the following command and verify that output does not contain any unlisted MAC
23# algorithms:
24#
25# # grep "MACs" /etc/ssh/sshd_config
26# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
27# umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,
28# curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
29#
30# Remediation
31# -----------
32# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
33#
34# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
35# umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
36
37parameters:
38 openssh:
39 server:
40 mac_algorithms:
41 hmac-sha2-512-etm@openssh.com:
42 enabled: True
43 hmac-sha2-256-etm@openssh.com:
44 enabled: True
45 umac-128-etm@openssh.com:
46 enabled: True
47 hmac-sha2-512:
48 enabled: True
49 hmac-sha2-256:
50 enabled: True
51 umac-128@openssh.com:
52 enabled: True
53