mediumaccess-controlverified ✓rollback-safe
Ensure sshd MACs are configured
ssh-approved-macs · RHEL ≥ 8 · 1 impl
Description
The sshd MACs directive must specify only approved Message Authentication Codes. Every configured MAC is validated against a configurable allowlist of secure algorithms.
Rationale
Improper SSH MACs configuration could weaken the security of remote access to the system. Weak or unapproved MAC algorithms may fail to detect data tampering during SSH sessions.
Check → Remediate
Checkcommand
approved="{{ ssh_approved_macs }}"
configured=$(sshd -T 2>/dev/null | grep -i '^macs ' | awk '{print $2}')
if [ -z "$configured" ]; then echo "FAIL: macs not configured"; exit 1; fi
bad=""
for alg in $(echo "$configured" | tr ',' ' '); do
case ",$approved," in
*",$alg,"*) ;;
*) bad="$bad $alg" ;;
esac
done
if [ -n "$bad" ]; then
echo "FAIL: unapproved mac algorithm(s):$bad"
exit 1
fi
echo "OK: all mac algorithms approved ($configured)"
- expected_exit:
- 0
Remediateconfig_set_dropin
- dir:
- /etc/ssh/sshd_config.d
- file:
- 00-kensa-macs.conf
- key:
- MACs
- value:
- {{ ssh_approved_macs }}
- restart:
- sshd
Framework references
CIS
rhel9 5.1.6rhel10 5.1.15rhel8 5.1.17
NIST 800-53
AC-17SC-8
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#sshd#access-control#cryptography