Additional stig test descriptions

This commit is contained in:
Bob Mottram 2017-06-29 13:04:34 +01:00
parent baf5d90770
commit 5f8faa36e2
2 changed files with 221 additions and 0 deletions

View File

@ -762,6 +762,126 @@ function test_stig {
output "V-38616" $? ${SETLANG}
################
##A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.
bash $STIG_TESTS_DIR/check-ssh.sh ciphers >/dev/null 2>&1 &
stig_spinner $!
output "SV-86845r2_rule" $? ${SETLANG}
################
##The Standard Notice must be displayed immediately prior to, or as part of, remote access logon prompts.
bash $STIG_TESTS_DIR/check-ssh.sh banner >/dev/null 2>&1 &
stig_spinner $!
output "SV-86849r2_rule" $? ${SETLANG}
################
##All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
bash $STIG_TESTS_DIR/check-ssh.sh sshd_status >/dev/null 2>&1 &
stig_spinner $!
output "SV-86859r2_rule" $? ${SETLANG}
################
##All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
bash $STIG_TESTS_DIR/check-ssh.sh ClientAliveInterval >/dev/null 2>&1 &
stig_spinner $!
output "SV-86861r2_rule" $? ${SETLANG}
################
##The SSH daemon must not allow authentication using RSA rhosts authentication.
bash $STIG_TESTS_DIR/check-ssh.sh RhostsRSAAuthentication >/dev/null 2>&1 &
stig_spinner $!
output "SV-86863r2_rule" $? ${SETLANG}
################
##All network connections associated with SSH traffic must terminate after a period of inactivity.
bash $STIG_TESTS_DIR/check-ssh.sh ClientAliveCountMax >/dev/null 2>&1 &
stig_spinner $!
output "SV-86865r2_rule" $? ${SETLANG}
################
##The SSH daemon must not allow authentication using rhosts authentication.
bash $STIG_TESTS_DIR/check-ssh.sh IgnoreRhosts >/dev/null 2>&1 &
stig_spinner $!
output "SV-86867r2_rule" $? ${SETLANG}
################
##The system must display the date and time of the last successful account logon upon an SSH logon.
bash $STIG_TESTS_DIR/check-ssh.sh PrintLastLog >/dev/null 2>&1 &
stig_spinner $!
output "SV-86869r2_rule" $? ${SETLANG}
################
##The system must not permit direct logons to the root account using remote access via SSH.
bash $STIG_TESTS_DIR/check-ssh.sh permitroot >/dev/null 2>&1 &
stig_spinner $!
output "SV-86871r2_rule" $? ${SETLANG}
################
##The SSH daemon must not allow authentication using known hosts authentication.
bash $STIG_TESTS_DIR/check-ssh.sh IgnoreUserKnownHosts >/dev/null 2>&1 &
stig_spinner $!
output "SV-86873r2_rule" $? ${SETLANG}
################
##The SSH daemon must be configured to only use the SSHv2 protocol.
bash $STIG_TESTS_DIR/check-ssh.sh Protocol >/dev/null 2>&1 &
stig_spinner $!
output "SV-86875r2_rule" $? ${SETLANG}
################
##The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
bash $STIG_TESTS_DIR/check-ssh.sh macs >/dev/null 2>&1 &
stig_spinner $!
output "SV-86877r2_rule" $? ${SETLANG}
################
##The SSH public host key files must have mode 0644 or less permissive.
bash $STIG_TESTS_DIR/check-ssh.sh pubkeypermissive >/dev/null 2>&1 &
stig_spinner $!
output "SV-86879r1_rule" $? ${SETLANG}
################
##The SSH private host key files must have mode 0600 or less permissive.
bash $STIG_TESTS_DIR/check-ssh.sh hostkeypermissive >/dev/null 2>&1 &
stig_spinner $!
output "SV-86881r1_rule" $? ${SETLANG}
################
##The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
bash $STIG_TESTS_DIR/check-ssh.sh GSSAPIAuthentication >/dev/null 2>&1 &
stig_spinner $!
output "SV-86883r2_rule" $? ${SETLANG}
################
##The SSH daemon must not permit Kerberos authentication unless needed.
bash $STIG_TESTS_DIR/check-ssh.sh KerberosAuthentication >/dev/null 2>&1 &
stig_spinner $!
output "SV-86885r2_rule" $? ${SETLANG}
################
##The SSH daemon must perform strict mode checking of home directory configuration files.
bash $STIG_TESTS_DIR/check-ssh.sh StrictModes >/dev/null 2>&1 &
stig_spinner $!
output "SV-86887r2_rule" $? ${SETLANG}
################
##The SSH daemon must use privilege separation.
bash $STIG_TESTS_DIR/check-ssh.sh UsePrivilegeSeparation >/dev/null 2>&1 &
stig_spinner $!
output "SV-86889r2_rule" $? ${SETLANG}
################
##The SSH daemon must not allow compression or must only allow compression after successful authentication.
bash $STIG_TESTS_DIR/check-ssh.sh Compression >/dev/null 2>&1 &
stig_spinner $!
output "SV-86891r2_rule" $? ${SETLANG}
################
##Dont allow remote X connections.
bash $STIG_TESTS_DIR/check-ssh.sh X11Forwarding >/dev/null 2>&1 &
stig_spinner $!
output "SV-86927r2_rule" $? ${SETLANG}
################
##RHEL-06-000247
##The system clock must be synchronized continuously, or at least daily.

View File

@ -18,6 +18,107 @@ output()
{
case "$1" in
SV-86845r2_rule) log_msg $2 'A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSTIG-ID:SV-86845r2\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.\n\nCheck_content: Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nThe location of the "sshd_config" file may vary if a different daemon is in use.\n\nInspect the "Ciphers" configuration with the following command:\n\n# grep -i ciphers /etc/ssh/sshd_config\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nIf any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the retuned line is commented out, this is a finding.\n\nFixtext: Configure SSH to use FIPS 140-2 approved cryptographic algorithms.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86849r2_rule) log_msg $2 'The Standard Notice must be displayed immediately prior to, or as part of, remote access logon prompts.'
if [ $2 -ne 0 ];then
printf '\n######################\n\n Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures that you have some clue as to when the last login happened, etc.\n\n.\n\n######################\n\n' >> $LOG
fi
;;
SV-86859r2_rule) log_msg $2 'All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nWithout protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nCheck_content: Verify SSH is loaded and active with the following command:\n\n# systemctl status sshd\n sshd.service - OpenSSH server daemon\n Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)\n Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago\n Main PID: 1348 (sshd)\n CGroup: /system.slice/sshd.service\n ??1348 /usr/sbin/sshd -D\n\nIf "sshd" does not show a status of "active" and "running", this is a finding.\n\n######################\n\n' >> $LOG
fi
;;
SV-86861r2_rule) log_msg $2 'All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nTerminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nCheck_content: Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the "ClientAlive" keyword with the following command:\n\n# grep -i clientalive /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf "ClientAliveInterval" is not set to "600" in "/etc/ ssh/sshd_config", and a lower value is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.\n\nFixtext: Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveInterval 600\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86863r2_rule) log_msg $2 'The SSH daemon must not allow authentication using RSA rhosts authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nConfiguring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.\n\nCheck_content: Verify the SSH daemon does not allow authentication using RSA rhosts authentication.\n\nTo determine how the SSH daemons "RhostsRSAAuthentication" option is set, run the following command:\n\n# grep RhostsRSAAuthentication /etc/ssh/sshd_config\n\nRhostsRSAAuthentication yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.\n\nFixtext: Configure the SSH daemon to not allow authentication using RSA rhosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nRhostsRSAAuthentication yes\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86865r2_rule) log_msg $2 'All network connections associated with SSH traffic must terminate after a period of inactivity.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nTerminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.\n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nCheck_content: Verify the operating system automatically terminates a user session after inactivity time-outs have expired.\n\nCheck for the value of the "ClientAliveCountMax" keyword with the following command:\n\n# grep -i clientalivecount /etc/ssh/sshd_config\nClientAliveCountMax 0\n\nIf "ClientAliveCountMax" is not set to "0" in "/etc/ ssh/sshd_config", this is a finding.\n\nFixtext: Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.\n\nAdd the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nClientAliveCountMax 0\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86867r2_rule) log_msg $2 'The SSH daemon must not allow authentication using rhosts authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nConfiguring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.\n\nCheck_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemons "IgnoreRhosts" option is set, run the following command:\n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIgnoreRhosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.\n\nFixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreRhosts yes\n\n######################\n\n' >> $LOG
fi
;;
SV-86869r2_rule) log_msg $2 'The system must display the date and time of the last successful account logon upon an SSH logon.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nProviding users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.\n\nCheck_content: Verify SSH provides users with feedback on when account accesses last occurred.\n\nCheck that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:\n\n# grep -i printlastlog /etc/ssh/sshd_config\nPrintLastLog yes\n\nIf the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.\n\nFixtext: Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).\n\nAdd the following line to the top of "/etc/pam.d/sshd":\n\nsession required pam_lastlog.so showfailed\n\nOr modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:\n\nPrintLastLog yes\n\nThe SSH service must be restarted for changes to "sshd_config" to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86871r2_rule) log_msg $2 'The system must not permit direct logons to the root account using remote access via SSH.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nEven though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.\n\nCheck_content: Verify remote access using SSH prevents users from logging on directly as root.\n\nCheck that SSH prevents users from logging on directly as root with the following command:\n\n# grep -i permitrootlogin /etc/ssh/sshd_config\nPermitRootLogin no\n\nIf the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.\n\nFixtext: Configure SSH to stop users from logging on remotely as the root user.\n\nEdit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nPermitRootLogin no\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86873r2_rule) log_msg $2 'The SSH daemon must not allow authentication using known hosts authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nConfiguring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.\n\nCheck_content: Verify the SSH daemon does not allow authentication using known hosts authentication.\n\nTo determine how the SSH daemons "IgnoreUserKnownHosts" option is set, run the following command:\n\n# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config\n\nIgnoreUserKnownHosts yes\n\nIf the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.\n\nFixtext: Configure the SSH daemon to not allow authentication using known hosts authentication.\n\nAdd the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":\n\nIgnoreUserKnownHosts yes\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86875r2_rule) log_msg $2 'The SSH daemon must be configured to only use the SSHv2 protocol.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\nCheck_content: Verify the SSH daemon is configured to only use the SSHv2 protocol.\n\nCheck that the SSH daemon is configured to only use the SSHv2 protocol with the following command:\n\n# grep -i protocol /etc/ssh/sshd_config\nProtocol 2\n#Protocol 1,2\n\nIf any protocol line other than "Protocol 2" is uncommented, this is a finding.\n\nFixtext: Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:\n\nProtocol 2\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86877r2_rule) log_msg $2 'The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nDoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.\n\nCheck_content: Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.\n\nNote: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.\n\nCheck that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:\n\n# grep -i macs /etc/ssh/sshd_config\nMACs hmac-sha2-256,hmac-sha2-512\n\nIf any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the retuned line is commented out, this is a finding.\n\nFixtext: Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):\n\nMACs hmac-sha2-256,hmac-sha2-512\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86879r1_rule) log_msg $2 'The SSH public host key files must have mode 0644 or less permissive.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf a public host key file is modified by an unauthorized user, the SSH service may be compromised.\n\nCheck_content: Verify the SSH public host key files have mode "0644" or less permissive.\n\nNote: SSH public key files may be found in other directories on the system depending on the installation.\n\nThe following command will find all SSH public key files on the system:\n\n# find /etc/ssh -name \"*.pub\" -exec ls -lL {} \\;\n\n-rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub\n-rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub\n-rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub\n\nIf any file has a mode more permissive than "0644", this is a finding.\n\nFixtext: Note: SSH public key files may be found in other directories on the system depending on the installation. \n\nChange the mode of public host key files under "/etc/ssh" to "0644" with the following command:\n\n# chmod 0644 /etc/ssh/*.key.pub\n\n######################\n\n' >> $LOG
fi
;;
SV-86881r1_rule) log_msg $2 'The SSH private host key files must have mode 0600 or less permissive.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Check_content: Verify the SSH private host key files have mode "0600" or less permissive.\n\nThe following command will find all SSH private key files on the system:\n\n# find / -name \"*ssh_host*key\"\n\nCheck the mode of the private host key files under "/etc/ssh" file with the following command:\n\n# ls -lL /etc/ssh/*key\n-rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key\n-rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key\n-rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key\n\nIf any file has a mode more permissive than "0600", this is a finding.\n\nFixtext: Configure the mode of SSH private host key files under "/etc/ssh" to "0600" with the following command:\n\n# chmod 0600 /etc/ssh/ssh_host*key\n\n######################\n\n' >> $LOG
fi
;;
SV-86883r2_rule) log_msg $2 'The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nGSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system\u2019s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.\n\nCheck_content: Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\nCheck that the SSH daemon does not permit GSSAPI authentication with the following command:\n\n# grep -i gssapiauth /etc/ssh/sshd_config\nGSSAPIAuthentication no\n\nIf the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.\n\nFixtext: Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": \n\nGSSAPIAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.\n\n######################\n\n' >> $LOG
fi
;;
SV-86885r2_rule) log_msg $2 'The SSH daemon must not permit Kerberos authentication unless needed.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nKerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the systems Kerberos implementation. Vulnerabilities in the systems Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.\n\nCheck_content: Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.\n\nCheck that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:\n\n# grep -i kerberosauth /etc/ssh/sshd_config\nKerberosAuthentication no\n\nIf the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.\n\nFixtext: Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":\n\nKerberosAuthentication no\n\nThe SSH service must be restarted for changes to take effect.\n\nIf Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.\n\n######################\n\n' >> $LOG
fi
;;
SV-86887r2_rule) log_msg $2 'The SSH daemon must perform strict mode checking of home directory configuration files.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.\n\nCheck_content: Verify the SSH daemon performs strict mode checking of home directory configuration files.\n\nThe location of the "sshd_config" file may vary if a different daemon is in use.\n\nInspect the "sshd_config" file with the following command:\n\n# grep -i strictmodes /etc/ssh/sshd_config\n\nStrictModes yes\n\nIf "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.\n\nFixtext: Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":\n\nStrictModes yes\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86889r2_rule) log_msg $2 'The SSH daemon must use privilege separation.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nSSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.\n\nCheck_content: Verify the SSH daemon performs privilege separation.\n\nCheck that the SSH daemon performs privilege separation with the following command:\n\n# grep -i usepriv /etc/ssh/sshd_config\n\nUsePrivilegeSeparation sandbox\n\nIf the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the retuned line is commented out, this is a finding.\n\nFixtext: Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":\n\nUsePrivilegeSeparation sandbox\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86891r2_rule) log_msg $2 'The SSH daemon must not allow compression or must only allow compression after successful authentication.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nIf compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.\n\nCheck_content: Verify the SSH daemon performs compression after a user successfully authenticates.\n\nCheck that the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n# grep -i compression /etc/ssh/sshd_config\nCompression delayed\n\nIf the "Compression" keyword is set to "yes", is missing, or the retuned line is commented out, this is a finding.\n\nFixtext: Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect.\n\n######################\n\n' >> $LOG
fi
;;
SV-86927r2_rule) log_msg $2 'Dont allow remote X connections.'
if [ $2 -ne 0 ];then
printf '\n######################\n\nThis system is not intended to support graphical output\n\n######################\n\n' >> $LOG
fi
;;
V-38455) if [ "$3" = "en" ]; then
log_msg $2 'The system must use a separate file system for /tmp.'
else