Title

The SUSE operating system SSH daemon must be configured with a timeout interval. (Cat II impact)

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system-level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109

Check Content

Verify the SUSE operating system SSH daemon is configured to timeout idle sessions. Check that the "ClientAliveInterval" parameter is set to a value of "600" with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' ClientAliveInterval 600 If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.

Fix Text

Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted for any changes to take effect.

Additional Identifiers

Rule ID: SV-234827r951634_rule

Vulnerability ID: V-234827

Group Title: SRG-OS-000126-GPOS-00066

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.