Title

RHEL 8 must not allow users to override SSH environment variables. (Cat II impact)

Discussion

SSH environment options potentially allow users to bypass access restriction in some configurations.

Check Content

Verify that unattended or automatic logon via ssh is disabled with the following command: $ sudo grep -ir PermitUserEnvironment /etc/ssh/sshd_config* PermitUserEnvironment no If "PermitUserEnvironment" is set to "yes", is missing completely, or is commented out, this is a finding. If conflicting results are returned, this is a finding.

Fix Text

Configure RHEL 8 to allow the SSH daemon to not allow unattended or automatic logon to the system. Add or edit the following line in the "/etc/ssh/sshd_config" file: PermitUserEnvironment no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-230330r877377_rule

Vulnerability ID: V-230330

Group Title: SRG-OS-000480-GPOS-00229

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.