Check: SOL-11.1-040350
Solaris 11 SPARC STIG:
SOL-11.1-040350
(in versions v2 r10 through v1 r10)
Title
The rhost-based authentication for SSH must be disabled. (Cat II impact)
Discussion
Setting this parameter forces users to enter a password when authenticating with SSH.
Check Content
Determine if rhost-based authentication is enabled. # grep "^IgnoreRhosts" /etc/ssh/sshd_config If the output is produced and it is not: IgnoreRhosts yes this is a finding. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.
Fix Text
The root role is required. Modify the sshd_config file # pfedit /etc/ssh/sshd_config Locate the line containing: IgnoreRhosts Change it to: IgnoreRhosts yes Restart the SSH service. # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.
Additional Identifiers
Rule ID: SV-216353r603267_rule
Vulnerability ID: V-216353
Group Title: SRG-OS-000480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |