mediumsystemverified ✓rollback-safe
Ensure system wide crypto policy disables CBC for SSH
crypto-policy-no-cbc-ssh · RHEL ≥ 8 · 1 impl
Description
The system-wide crypto policy should disable Cipher Block Chaining (CBC) mode ciphers for SSH connections as they are vulnerable to certain attacks.
Rationale
CBC mode ciphers in SSH are vulnerable to the BEAST attack and other padding oracle attacks. Using CTR or GCM mode ciphers provides better security.
Check → Remediate
Checkcommand
sshd -T 2>/dev/null | grep -i '^ciphers' | grep -qi 'cbc' && echo 'FAIL: CBC ciphers enabled' && exit 1 || echo 'OK: No CBC ciphers' && exit 0
- expected_exit:
- 0
Remediatecrypto_policy_subpolicy
- subpolicy:
- NO-CBC
- unless:
- update-crypto-policies --show | grep -q ':NO-CBC'
Framework references
CIS
rhel9 1.6.5rhel10 1.6.4rhel8 1.6.4
NIST 800-53
SC-13SC-8
Live verification
rhel10:checkrhel8:checkrhel9:check
#crypto-policy#ssh#cbc#security#cryptography