Check: AOSX-09-000721
Apple OS X 10.9 Workstation STIG:
AOSX-09-000721
(in version v1 r2)
Title
The SSH daemon ClientAliveCountMax option must be set correctly. (Cat II impact)
Discussion
SSH should be configured to log users out after a 15 minute interval of inactivity and to only wait 30 seconds before timing out login attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
Check Content
The SSH daemon ClientAliveCountMax option must be set correctly. To ensure the SSH idle timeout will occur when the 'ClientAliveCountMax' is set, run the following command: sudo grep ^ClientAliveCountMax /etc/sshd_config If the setting is not 'ClientAliveCountMax 0', this is a finding.
Fix Text
In order to make sure that the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, run the following command: sudo sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/sshd_config
Additional Identifiers
Rule ID: SV-72815r1_rule
Vulnerability ID: V-58385
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |
Controls
Number | Title |
---|---|
SC-10 |
Network Disconnect |