← Rules Catalog
mediumaccess-controlverified

Ensure system-wide crypto policy disables EtM for ssh

ssh-crypto-policy-no-etm · RHEL ≥ 8 · 1 impl

Description

The effective SSH daemon MAC list must not include encrypt-then-MAC (*-etm@openssh.com) algorithms, which the site crypto policy is expected to disable.

Rationale

Disabling EtM MACs through the system-wide crypto policy enforces the organization's approved MAC posture uniformly rather than relying on per-service configuration.

Check → Remediate

Checkcommand
if sshd -T 2>/dev/null | grep -i '^macs' | grep -q 'etm@'; then
  echo "FAIL: EtM MAC(s) present in effective sshd macs"
  exit 1
fi
echo "OK: no EtM MACs offered"
expected_exit:
0
Remediatemanual
note:
Adjust the system-wide crypto policy so the SSH MAC list excludes the *-etm@openssh.com algorithms, then restart sshd.

Framework references

CIS

rhel9 1.6.7rhel8 1.6.6

NIST 800-53

SC-13SC-8

Live verification

rhel9:check
#ssh#crypto-policy#macs