File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (65 lines) | stat: -rw-r--r-- 2,788 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
documentation_complete: true

title: 'Disable Host-Based Authentication'

description: |-
    SSH's cryptographic host-based authentication is
    more secure than <tt>.rhosts</tt> authentication. However, it is
    not recommended that hosts unilaterally trust one another, even
    within an organization.
    <br />
    The default SSH configuration disables host-based authentication. The appropriate
    configuration is used if no value is set for <tt>HostbasedAuthentication</tt>.
    <br />
    To explicitly disable host-based authentication, add or correct the
    following line in
    {{{ sshd_config_file() }}}
    <pre>HostbasedAuthentication no</pre>

rationale: |-
    SSH trust relationships mean a compromise on one host
    can allow an attacker to move trivially to other hosts.

severity: medium

identifiers:
    cce@rhel8: CCE-80786-7
    cce@rhel9: CCE-90816-0
    cce@rhel10: CCE-88057-5
    cce@sle12: CCE-91677-5
    cce@sle15: CCE-91439-0
    cce@slmicro5: CCE-93886-0

references:
    cis-csc: 11,12,14,15,16,18,3,5,9
    cis@sle12: 5.2.9
    cis@sle15: 5.2.9
    cjis: 5.5.6
    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06
    cui: 3.1.12
    hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
    ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
    nist: AC-3,AC-17(a),CM-7(a),CM-7(b),CM-6(a)
    nist-csf: PR.AC-4,PR.AC-6,PR.IP-1,PR.PT-3
    ospp: FIA_UAU.1
    srg: SRG-OS-000480-GPOS-00229
    stigid@ol7: OL07-00-010470

{{{ complete_ocil_entry_sshd_option(default="yes", option="HostbasedAuthentication", value="no") }}}

fixtext: |-
    {{{ fixtext_sshd_lineinfile("HostbasedAuthentication", "no") }}}

srg_requirement: '{{{ full_name }}}  must not allow a non-certificate trusted host SSH logon to the system.'

template:
    name: sshd_lineinfile
    vars:
        parameter: HostbasedAuthentication
        value: 'no'
        datatype: string
        is_default_value: 'true'