Check: GEN005537
HP-UX 11.31 STIG:
GEN005537
(in versions v1 r19 through v1 r13)
Title
The SSH daemon must use privilege separation. (Cat II impact)
Discussion
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
Check Content
Check the SSH daemon configuration. Note that keywords are case-insensitive and arguments (args) are case-sensitive. keyword=UsePrivilegeSeparation arg(s)=yes Default values include: "yes" Note: When the default "arg" value exactly matches the required "arg" value (see above), the <keyword=arg> entry is not required to exist (commented or uncommented) in the ssh (client) or sshd (server) configuration file. While not required, it is recommended that the configuration file(s) be populated with all keywords and assigned arg values as a means to explicitly document the ssh(d) binary's expected behavior. Examine the file. # cat /opt/ssh/etc/sshd_config | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | grep -i "UsePrivilegeSeparation" If the return value is no, this is a finding.
Fix Text
Edit the SSH daemon configuration and add or edit the UsePrivilegeSeparation setting value to yes.
Additional Identifiers
Rule ID: SV-35139r1_rule
Vulnerability ID: V-22486
Group Title: GEN005537
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |