Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-216084 | SOL-11.1-030055 | SV-216084r603268_rule | Medium |
Description |
---|
If ssh’s configuration file does not contain the appropriate rules for allowing and denying access to the system’s network resources, the system may be accessible to unauthorized hosts. |
STIG | Date |
---|---|
Solaris 11 X86 Security Technical Implementation Guide | 2020-12-04 |
Check Text ( C-17322r372634_chk ) |
---|
Determine if OpenSSH is installed: For Solaris 11.3 use: # pkg list network/openssh For Solaris 11.4 and higher use: # pkg list network/ssh If the command output shows version 7 or higher, this check applies. Determine if /etc/ssh/sshd_config is configured to control ssh access. # grep "^Match Address" /etc/ssh/sshd_config If no output is produced, this is a finding. If there is output, review the address list. Ensure it conforms to organizational and mission requirements. If the address list is not configured to organizational standards, this is a finding. For example: Match Address *,!192.0.2.0/16. This blocks everything but the 192.0 network. # tail /etc/ssh/sshd_config At the end of the file, determine if the line following the "Match Address" is "MaxAuthTries 0". If the line is not following "Match Address" is not "MaxAuthTries" or does not have the value of 0 (zero), then this is a finding. |
Fix Text (F-17320r372635_fix) |
---|
The root role is required. Modify the sshd_config file: # pfedit /etc/ssh/sshd_config Locate the bottom of the file. Insert or modify the lines: Match Address [blocked and permitted network address list here] MaxAuthTries 0 Restart the SSH service: # svcadm restart svc:/network/ssh Note: OpenSSH MaxAuthTries of 0 maps to immediate failure and this must follow the "Match Address" line with no lines below it. |