File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (66 lines) | stat: -rw-r--r-- 2,400 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
documentation_complete: true

title: 'Disable Compression Or Set Compression to delayed'

description: |-
    Compression is useful for slow network connections over long
    distances but can cause performance issues on local LANs. If use of compression
    is required, it should be enabled only after a user has authenticated; otherwise,
    it should be disabled. To disable compression or delay compression until after
    a user has successfully authenticated, add or correct the following line in the
    <tt>/etc/ssh/sshd_config</tt> file:
    <pre>Compression {{{ xccdf_value("var_sshd_disable_compression") }}}</pre>

rationale: |-
    If compression is allowed in an SSH connection prior to authentication,
    vulnerabilities in the compression software could result in compromise of the
    system from an unauthenticated connection, potentially with root privileges.

severity: medium

identifiers:
    cce@rhel8: CCE-80895-6
    cce@rhel9: CCE-90801-2
    cce@rhel10: CCE-90051-4
    cce@sle12: CCE-83062-0
    cce@sle15: CCE-85647-6

references:
    cis-csc: 11,3,9
    cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
    cui: 3.1.12
    hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 7.6'
    iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
    nist: AC-17(a),CM-7(a),CM-7(b),CM-6(a)
    nist-csf: PR.IP-1
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-040470
    stigid@sle12: SLES-12-030250

ocil_clause: 'it is commented out, or is not set to no or delayed'

ocil: |-
    To check if compression is enabled or set correctly, run the
    following command:
    <pre>$ sudo grep Compression /etc/ssh/sshd_config</pre>
    If configured properly, output should be <pre>no</pre> or <pre>delayed</pre>.

{{% if product == "ol7" %}}
platform: os_linux[ol]<7.4
{{% elif product == "sle12" %}}
platform: package[openssh]<7.4
{{% endif %}}

fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}'

srg_requirement: 'The {{{ full_name }}} SSH daemon must not allow compression or must only allow compression after successful authentication.'

template:
    name: sshd_lineinfile
    vars:
        parameter: Compression
        xccdf_variable: var_sshd_disable_compression
        datatype: string