-
Notifications
You must be signed in to change notification settings - Fork 670
/
rule.yml
35 lines (27 loc) · 1.19 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
documentation_complete: true
title: 'Force frequent session key renegotiation'
description: |-
The <tt>RekeyLimit</tt> parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
<tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited.
severity: medium
identifiers:
cce@rhel8: CCE-82177-7
references:
ospp: FCS_SSHS_EXT.1
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000033-GPOS-00014
stigid@rhel8: RHEL-08-040161
disa: CCI-000068
ocil_clause: 'it is commented out or is not set'
ocil: |-
To check if RekeyLimit is set correctly, run the
following command:
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
If configured properly, output should be
<pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>