/
rule.yml
77 lines (64 loc) · 2.85 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
documentation_complete: true
# applicable only to products that ship OpenSSH<8.2
# prodtypes: ???
title: 'Set SSH Client Alive Count Max to zero'
description: |-
The SSH server sends at most <tt>ClientAliveCountMax</tt> messages
during a SSH session and waits for a response from the SSH client.
The option <tt>ClientAliveInterval</tt> configures timeout after
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
receive a response from the client, then the connection is considered idle
and terminated.
To ensure the SSH idle timeout occurs precisely when the
<tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
value of <tt>0</tt>.
rationale: |-
This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
is reached.
severity: medium
identifiers:
cce@rhel7: CCE-83399-6
cce@rhel8: CCE-83405-1
cce@rhcos4: CCE-83406-9
cce@sle12: CCE-83407-7
cce@sle15: CCE-83284-0
references:
stigid@ol7: OL07-00-040340
cis@rhel7: 5.2.12
cis@rhel8: 5.2.13
cis@ubuntu2004: 5.2.15
cjis: 5.5.6
cui: 3.1.11
disa: CCI-000879,CCI-001133,CCI-002361
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
nist: AC-2(5),AC-12,AC-17(a),SC-10,CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2
pcidss: Req-8.1.8
srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
vmmsrg: SRG-OS-000480-VMM-002000
stigid@rhel7: RHEL-07-040340
stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@sle15: SLES-15-010320
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,12,13,14,15,16,18,3,5,7,8
requires:
- sshd_set_idle_timeout
ocil_clause: 'it is commented out or not configured properly'
ocil: |-
To ensure <tt>ClientAliveInterval</tt> is set correctly, run the following command:
<pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
<pre>ClientAliveCountMax 0</pre>
In this case, the SSH idle timeout occurs precisely when
the <tt>ClientAliveInterval</tt> is set.
template:
name: sshd_lineinfile
vars:
parameter: "ClientAliveCountMax"
value: "0"
missing_parameter_pass: "false"
kubernetes: "off"