ESXI-65-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.

Gavin M. Dennis

22 April 2022 04:17

Details

Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

Note: This does not imply FIPS 140-2 validation.

Solution

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/ssh/sshd_config':

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-5_Y21M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-17(2)
CAT|II
CCI|CCI-000068
Rule-ID|SV-207611r766919_rule
STIG-ID|ESXI-65-000010
STIG-Legacy|SV-104053
STIG-Legacy|V-93967
Vuln-ID|V-207611

Source

Tenable.com/audits

PS. Before you go.

Request a quote to protect your organisation from cyber attacks and breaches.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section