ESXI-67-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.

Gavin M. Dennis

22 April 2022 15:02

Details

Approved algorithms should impart some level of confidence in their implementation. Limit the ciphers to algorithms that are FIPS approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

Solution

Limit the ciphers to FIPS-approved algorithms.

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in '/etc/ssh/sshd_config':

FipsMode yes

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.ssh.set.Invoke($arguments)

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-17(2)
CAT|II
CCI|CCI-000068
Rule-ID|SV-239267r674730_rule
STIG-ID|ESXI-67-000010
STIG-Legacy|SV-104053
STIG-Legacy|V-93967
Vuln-ID|V-239267

Source

Tenable.com/audits

PS. Before you go.

Request a quote to protect your organisation from cyber attacks and breaches.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section