Title

RHEL 9 must not allow users to override SSH environment variables. (Cat II impact)

Discussion

SSH environment options potentially allow users to bypass access restriction in some configurations.

Check Content

Verify that unattended or automatic logon via SSH is disabled with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permituserenvironment' PermitUserEnvironment no If "PermitUserEnvironment" is set to "yes", is missing completely, or is commented out, this is a finding. If the required value is not set, this is a finding.

Fix Text

Configure the RHEL 9 SSH daemon to not allow unattended or automatic logon to the system. Add or edit the following line in the "/etc/ssh/sshd_config" file: PermitUserEnvironment no Restart the SSH daemon for the setting to take effect: $ sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-257993r952192_rule

Vulnerability ID: V-257993

Group Title: SRG-OS-000480-GPOS-00229

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.