Use Only FIPS 140-2 Validated MACs
Description
Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in /etc/ssh/sshd_config
demonstrates use of FIPS-approved MACs:
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
The man page sshd_config(5) contains a list of supported MACs.
The rule is parametrized to use the following MACs: .
Rationale
DoD Information Systems are required to use FIPS-approved cryptographic hash
functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
sshd\_approved\_macs=''
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^MACs")
# shellcheck disable=SC2059
printf -v formatted\_output "%s %s" "$stripped\_key" "$sshd\_approved\_macs"
# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^MACs\\>" "/etc/ssh/sshd\_config"; then
escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
LC\_ALL=C sed -i --follow-symlinks "s/^MACs\\>.\*/$escaped\_formatted\_output/gi" "/etc/ssh/sshd\_config"
else
if [[ -s "/etc/ssh/sshd\_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd\_config" || true)" ]]; then
LC\_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd\_config"
fi
printf '%s\n' "$formatted\_output" >> "/etc/ssh/sshd\_config"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Warning
The system needs to be rebooted for these changes to take effect.
