Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22470 | GEN005521 | SV-63727r1_rule | ECLP-1 | Medium |
Description |
---|
Restricting SSH logins to a limited group of users, such as system administrators, prevents password-guessing and other SSH attacks from reaching system accounts and other accounts not authorized for SSH access. |
STIG | Date |
---|---|
Oracle Linux 5 Security Technical Implementation Guide | 2015-06-05 |
Check Text ( C-52311r2_chk ) |
---|
There are two ways in which access to SSH may restrict users or groups. Check if /etc/pam.d/sshd is configured to require daemon style login control. # grep pam_access.so /etc/pam.d/sshd|grep "required"|grep "account"| grep -v '^#' If no lines are returned, sshd is not configured to use pam_access. Check the SSH daemon configuration for the AllowGroups setting. # egrep -i "AllowGroups|AllowUsers" /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, sshd is not configured to limit access to users/groups. If sshd is not configured to limit access either through pam_access or the use "AllowUsers" or "AllowGroups", this is a finding. |
Fix Text (F-54309r2_fix) |
---|
Edit the SSH daemon configuration and add an "AllowGroups" or "AllowUsers" directive specifying the groups and users allowed to have access. Restart the SSH daemon. # /sbin/service sshd restart Alternatively, modify the /etc/pam.d/sshd file to include the line account required pam_access.so accessfile= If the "accessfile" option is not specified the default "access.conf" file will be used. The "access.conf" file must contain the user restriction definitions. |