An error occurred:

Check: RHEL-07-040340

RHEL 7 STIG: RHEL-07-040340 (in versions v3 r11 through v2 r1)

Title

The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity. (Cat II impact)

Discussion

Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109

Check Content

Verify the operating system automatically terminates a user session after inactivity time-outs have expired. Check for the value of the "ClientAliveCountMax" keyword with the following command: # grep -i clientalivecount /etc/ssh/sshd_config ClientAliveCountMax 0 If "ClientAliveCountMax" is not set to "0", this is a finding.

Fix Text

Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ClientAliveCountMax 0 The SSH service must be restarted for changes to take effect.

Additional Identifiers

Rule ID: SV-204589r853992_rule

Vulnerability ID: V-204589

Group Title: SRG-OS-000163-GPOS-00072

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001133

Terminate the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
CCI-002361

Automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-12

Session Termination
SC-10

Network Disconnect