← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure sshd MACs are configured

ssh-approved-macs · RHEL ≥ 8 · 1 impl

Description

The sshd MACs directive must specify only approved Message Authentication Codes. Every configured MAC is validated against a configurable allowlist of secure algorithms.

Rationale

Improper SSH MACs configuration could weaken the security of remote access to the system. Weak or unapproved MAC algorithms may fail to detect data tampering during SSH sessions.

Check → Remediate

Checkcommand
approved="{{ ssh_approved_macs }}"
configured=$(sshd -T 2>/dev/null | grep -i '^macs ' | awk '{print $2}')
if [ -z "$configured" ]; then echo "FAIL: macs not configured"; exit 1; fi
bad=""
for alg in $(echo "$configured" | tr ',' ' '); do
  case ",$approved," in
    *",$alg,"*) ;;
    *) bad="$bad $alg" ;;
  esac
done
if [ -n "$bad" ]; then
  echo "FAIL: unapproved mac algorithm(s):$bad"
  exit 1
fi
echo "OK: all mac algorithms approved ($configured)"
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/ssh/sshd_config.d
file:
00-kensa-macs.conf
key:
MACs
value:
{{ ssh_approved_macs }}
restart:
sshd

Framework references

CIS

rhel9 5.1.6rhel10 5.1.15rhel8 5.1.17

NIST 800-53

AC-17SC-8

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#sshd#access-control#cryptography