STIGQter: STIG Summary: VMware vSphere 6.5 ESXi Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.

DISA Rule

SV-207611r378610_rule

Vulnerability Number

V-207611

Group Title

SRG-OS-000033-VMM-000140

Rule Version

ESXI-65-000010

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config":

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

Check Contents

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell:

# grep -i "^Ciphers" /etc/ssh/sshd_config

If there is no output or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr", this is a finding.

Vulnerability Number

V-207611

Documentable

False

Rule Version

ESXI-65-000010

Severity Override Guidance

Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell:

# grep -i "^Ciphers" /etc/ssh/sshd_config

If there is no output or the output is not exactly "Ciphers aes128-ctr,aes192-ctr,aes256-ctr", this is a finding.

Check Content Reference

M

Target Key

2925

Comments