From d3da0b8d855d618d9df7ee1ee22c6420535bdbe2 Mon Sep 17 00:00:00 2001 From: Allen Golbig Date: Tue, 6 Oct 2020 15:05:44 -0400 Subject: [PATCH] FIPS guidance --- rules/os/os_ssh_fips_140_ciphers.yaml | 10 ++++------ rules/os/os_ssh_fips_140_macs.yaml | 10 ++++------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/rules/os/os_ssh_fips_140_ciphers.yaml b/rules/os/os_ssh_fips_140_ciphers.yaml index 9a7993e8..32b44ac5 100644 --- a/rules/os/os_ssh_fips_140_ciphers.yaml +++ b/rules/os/os_ssh_fips_140_ciphers.yaml @@ -1,13 +1,11 @@ id: os_ssh_fips_140_ciphers -title: "Limit SSH to FIPS 140 Approved Ciphers" +title: "Limit SSH to FIPS 140 Validated Ciphers" discussion: | - SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 approved. + SSH _MUST_ be configured to limit the ciphers to algorithms that are FIPS 140 validated. - FIPS 140-2 is the current standard for approving and validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meet federal requirements. - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - - Operating systems utilizing encryption _MUST_ use FIPS compliant mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: | diff --git a/rules/os/os_ssh_fips_140_macs.yaml b/rules/os/os_ssh_fips_140_macs.yaml index b4bb6db1..cf8ea851 100644 --- a/rules/os/os_ssh_fips_140_macs.yaml +++ b/rules/os/os_ssh_fips_140_macs.yaml @@ -1,13 +1,11 @@ id: os_ssh_fips_140_macs -title: "Limit SSH to FIPS 140 Approved Message Authentication Code Algorithms" +title: "Limit SSH to FIPS 140 Validated Message Authentication Code Algorithms" discussion: | - SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 approved.. + SSH _MUST_ be configured to limit the Message Authentication Codes (MACs) to algorithms that are FIPS 140 validated. - FIPS 140-2 is the current standard for approving and validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. + FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets federal requirements. - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. - - Operating systems utilizing encryption _MUST_ use FIPS compliant mechanisms for authenticating to cryptographic modules. + Operating systems utilizing encryption _MUST_ use FIPS validated mechanisms for authenticating to cryptographic modules. NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system. check: |