Important note: Up to 10 minutes is required for FortiSIEM to reload the services (both SSH and HTTPS).

Background:

FortiSIEM v7.x follows system-wide crypto policy.

Version used in this example:

[root@fsiem-01 ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="8.10 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.10"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.10 (Green Obsidian)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2029-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-8"
ROCKY_SUPPORT_PRODUCT_VERSION="8.10"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.10"

Implementation Steps:

Default settings.

[root@fsiem-01]# update-crypto-policies --show
DEFAULT

Update the policy with:

FIPS:OSPP:DISABLE-CBC:NO-SHA1

/etc/ssh/sshd_config
/etc/crypto-policies/back-ends/opensshserver.config

Preview of '/etc/ssh/sshd_config':

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the serve
<snip>

Ensure 'FIPS.pol' exists:

# ls -l /usr/share/crypto-policies/policies/
total 20
-rw-r--r--. 1 root root 2153 Aug 1 2023 DEFAULT.pol
-rw-r--r--. 1 root root 267 Aug 1 2023 EMPTY.pol
-rw-r--r--. 1 root root 1726 Aug 1 2023 FIPS.pol
-rw-r--r--. 1 root root 2102 Aug 1 2023 FUTURE.pol
-rw-r--r--. 1 root root 2471 Aug 1 2023 LEGACY.pol
drwxr-xr-x. 2 root root 113 Aug 13 2024 modules

Creation of 'DISABLE-CBC.pmod':

# sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
# sudo sed --in-place 's/CAMELLIA-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
# sudo sed --in-place 's/AES-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
# sudo sed --in-place 's/CAMELLIA-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
# sudo sed --in-place 's/AES-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod

# ls -l /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
-rw-r--r-- 1 root root 2077 Apr 1 14:28 /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod

Ensure 'NO-SHA1.pmod' exists:

# ls -la /usr/share/crypto-policies/policies/modules/
total 20
drwxr-xr-x. 2 root root 113 Aug 13 2024 .
drwxr-xr-x. 3 root root 109 Aug 13 2024 ..
-rw-r--r--. 1 root root 322 Aug 1 2023 AD-SUPPORT.pmod
-rw-r--r--. 1 root root 121 Aug 1 2023 ECDHE-ONLY.pmod
-rw-r--r--. 1 root root 90 Aug 1 2023 NO-CAMELLIA.pmod
-rw-r--r--. 1 root root 123 Aug 1 2023 NO-SHA1.pmod
-rw-r--r--. 1 root root 1986 Aug 1 2023 OSPP.pmod

Update to 'FIPS:OSPP:DISABLE-CBC:NO-SHA1':

[root@fsiem-01 ~]# date
Tue Apr 1 20:12:32 IST 2025
[root@fsiem-01 ~]# sudo update-crypto-policies --set FIPS:OSPP:DISABLE-CBC:NO-SHA1
Setting system policy to FIPS:OSPP:DISABLE-CBC:NO-SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies to fully take place.
[root@fsiem-01 ~]# sudo init 6    << Effect the changes

Validation:

Checks on FortiSIEM:

[root@fsiem-01 ~]# date           << After changes
Tue Apr 1 20:18:56 IST 2025
[root@fsiem-01 ~]# sudo update-crypto-policies --show
FIPS:OSPP:DISABLE-CBC:NO-SHA1

Nmap scan for SSH:

$ date
Tue Apr 1 14:49:41 UTC 2025
fortinet@Gerah-kvm29:~$ nmap --script ssh2-enum-algos 10.47.48.11 -p 22
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-01 14:49 UTC
Nmap scan report for 10.47.48.11
Host is up (0.00064s latency).

PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| kex-strict-s-v00@openssh.com
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (5)
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
| aes256-ctr
| aes128-gcm@openssh.com
| aes128-ctr
| mac_algorithms: (8)
| hmac-sha2-256-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha2-256
| hmac-sha1
| umac-128@openssh.com
| hmac-sha2-512
| compression_algorithms: (2)
| none
|_ zlib@openssh.com

Nmap scan for HTTPS:

$ nmap --script ssl-enum-ciphers -p 443 10.47.48.11
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-01 14:49 UTC
Nmap scan report for 10.47.48.11
Host is up (0.00086s latency).

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_128_CCM (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (ecdh_x25519) of lower strength than certificate key
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A

Outcome:

The result should meet the requirements of most security policies.