File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (57 lines) | stat: -rw-r--r-- 2,292 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
documentation_complete: true

title: 'Force frequent session key renegotiation'

description: |-
    The <tt>RekeyLimit</tt> parameter specifies how often
    the session key of the is renegotiated, both in terms of
    amount of data that may be transmitted and the time
    elapsed.<br/>
    To decrease the default limits, add or correct the following line in
    {{{ sshd_config_file() }}}
    <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>

rationale: |-
    By decreasing the limit based on the amount of data and enabling
    time-based limit, effects of potential attacks against
    encryption keys are limited.

severity: medium

identifiers:
    cce@rhel8: CCE-82177-7
    cce@rhel9: CCE-90815-2
    cce@rhel10: CCE-88356-1

references:
    ospp: FCS_SSH_EXT.1.8
    srg: SRG-OS-000480-GPOS-00227,SRG-OS-000033-GPOS-00014
    stigid@ol8: OL08-00-040161

ocil_clause: 'it is commented out or is not set'

ocil: |-
    To check if RekeyLimit is set correctly, run the
    following command:
    {{% if sshd_distributed_config == "true" %}}
    <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*</pre>
    {{% else %}}
    <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
    {{% endif %}}
    If configured properly, output should be
    <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>

fixtext: |-
    {{% if sshd_distributed_config == "true" %}}
    Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" file:
    {{% else %}}
    Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file:
    {{% endif %}}

    RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}

    Restart the SSH daemon for the settings to take effect.

    $ sudo systemctl restart sshd.service

srg_requirement: '{{{ full_name }}} must force a frequent session key renegotiation for SSH connections to the server.'