Title

The SSH daemon must use privilege separation. (Cat II impact)

Discussion

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Check Content

Check that the SSH daemon performs privilege separation with the following command: # grep UsePrivilegeSeparation /etc/ssh/sshd_config UsePrivilegeSeparation yes If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.

Fix Text

Configure SSH to use privilege separation. Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes": UsePrivilegeSeparation yes The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: # sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-215135r610931_rule

Vulnerability ID: V-215135

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.