← Rules Catalog
mediumsystemverified rollback-safe

Ensure system wide crypto policy disables CBC for SSH

crypto-policy-no-cbc-ssh · RHEL ≥ 8 · 1 impl

Description

The system-wide crypto policy should disable Cipher Block Chaining (CBC) mode ciphers for SSH connections as they are vulnerable to certain attacks.

Rationale

CBC mode ciphers in SSH are vulnerable to the BEAST attack and other padding oracle attacks. Using CTR or GCM mode ciphers provides better security.

Check → Remediate

Checkcommand
sshd -T 2>/dev/null | grep -i '^ciphers' | grep -qi 'cbc' && echo 'FAIL: CBC ciphers enabled' && exit 1 || echo 'OK: No CBC ciphers' && exit 0
expected_exit:
0
Remediatecrypto_policy_subpolicy
subpolicy:
NO-CBC
unless:
update-crypto-policies --show | grep -q ':NO-CBC'

Framework references

CIS

rhel9 1.6.5rhel10 1.6.4rhel8 1.6.4

NIST 800-53

SC-13SC-8

Live verification

rhel10:checkrhel8:checkrhel9:check
#crypto-policy#ssh#cbc#security#cryptography