STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 3 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

V-234816

CAT I (High)

The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

Rule ID

SV-234816r1208925_rule

STIG

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000068

Discussion

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173

Check Content

Verify the SUSE operating system SSH server is configured to use only ciphers employing FIPS 140-3 approved algorithms.

To verify the ciphers in the systemwide SSH configuration file, use the following command:

> sudo grep -i Ciphers /etc/crypto-policies/back-ends/opensshserver.config 
Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr

If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr", or they are missing or commented out, this is a finding.

Fix Text

Configure the SUSE operating system SSH server to use only ciphers employing FIPS 140-3-approved algorithms.

Reinstall crypto-policies with the following command:

> sudo zypper install --force crypto-policies

Set the crypto-policy to FIPS with the following command:

> sudo update-crypto-policies --set FIPS
Setting system policy to FIPS

Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place.