STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021: STIGQter: STIG Summary: VMware vSphere 6.7 ESXi Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:SV-239267r674730_rule
V-239267
SRG-OS-000033-VMM-000140
ESXI-67-000010
CAT II
10
Limit the ciphers to FIPS-approved algorithms.
From an SSH session connected to the ESXi host, or from the ESXi shell, add or correct the following line in "/etc/ssh/sshd_config":
FipsMode yes
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.ssh.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.ssh.set.Invoke($arguments)
To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell:
# grep -i "^FipsMode" /etc/ssh/sshd_config
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$esxcli.system.security.fips140.ssh.get.invoke()
If there is no output or the output is not exactly "FipsMode yes" over SSH, or enabled is not "true" over PowerCLI, this is a finding.
V-239267
False
ESXI-67-000010
To verify that only FIPS-approved ciphers are in use, run the following command from an SSH session connected to the ESXi host, or from the ESXi shell:
# grep -i "^FipsMode" /etc/ssh/sshd_config
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$esxcli.system.security.fips140.ssh.get.invoke()
If there is no output or the output is not exactly "FipsMode yes" over SSH, or enabled is not "true" over PowerCLI, this is a finding.
M
5326