mediumaccess-controlverified ✓
Ensure system-wide crypto policy disables EtM for ssh
ssh-crypto-policy-no-etm · RHEL ≥ 8 · 1 impl
Description
The effective SSH daemon MAC list must not include encrypt-then-MAC (*-etm@openssh.com) algorithms, which the site crypto policy is expected to disable.
Rationale
Disabling EtM MACs through the system-wide crypto policy enforces the organization's approved MAC posture uniformly rather than relying on per-service configuration.
Check → Remediate
Checkcommand
if sshd -T 2>/dev/null | grep -i '^macs' | grep -q 'etm@'; then echo "FAIL: EtM MAC(s) present in effective sshd macs" exit 1 fi echo "OK: no EtM MACs offered"
- expected_exit:
- 0
Remediatemanual
- note:
- Adjust the system-wide crypto policy so the SSH MAC list excludes the *-etm@openssh.com algorithms, then restart sshd.
Framework references
CIS
rhel9 1.6.7rhel8 1.6.6
NIST 800-53
SC-13SC-8
Live verification
rhel9:check
#ssh#crypto-policy#macs