Check: GEN005536
HP-UX 11.31 STIG:
GEN005536
(in versions v1 r19 through v1 r13)
Title
The SSH daemon must perform strict mode checking of home directory configuration files. (Cat II impact)
Discussion
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
Check Content
Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=StrictModes arg(s)=yes Default values include: "yes" Note: When the default "arg" value exactly matches the required "arg" value (see above), the <keyword=arg> entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior. Examine the file. # cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | grep -i "StrictModes" If the return value is no, this is a finding.
Fix Text
Edit the SSH daemon configuration and add or edit the StrictModes setting value to yes.
Additional Identifiers
Rule ID: SV-35137r1_rule
Vulnerability ID: V-22485
Group Title: GEN005536
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |