sshd issues
by Paige, David B CTR USARMY ICOE (US)
There are some issues in the STIG for Red Hat Enterprise Linux 7 Server, profile: stig-rhel7-server-upstream in ssg-rhel7-xccdf.xml.
The first is "Use Only FIPS Approved MACs", RHEL-07-040620.
The STIG indicates that only hmac-sha2-512 and hmac-sha2-256 should be used. However, the remediation script adds hmac-sha1 to the list of MACs. Removing hmac-sha1 causes the test to fail. Also, the reference listed is incorrect. It should be RHEL-07-040400. Also, in one instance when performing a remediation, the MACs line appended to the last line of /etc/ssh/sshd_config, causing sshd to fail.
The second is "Use Only Approved Ciphers", RHEL-07-040110.
The STIG indicates that the line should be listed as follows:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
However, the remediation script adds aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc. Removing these cbc and 3des ciphers causes the check to fail.