Title

SLEM 5 SSH daemon must perform strict mode checking of home directory configuration files. (Cat II impact)

Discussion

If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.

Check Content

Verify SLEM 5 SSH daemon performs strict mode checking of home directory configuration files with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes' /etc/ssh/sshd_config:StrictModes yes If "StrictModes" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Fix Text

Configure SLEM 5 SSH daemon performs strict mode checking of home directory configuration files. Add or modify the following line in the "/etc/ssh/sshd_config" file: StrictModes yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-261341r996486_rule

Vulnerability ID: V-261341

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.