1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
documentation_complete: true
title: 'Configure SSSD to Expire SSH Known Hosts'
description: |-
SSSD should be configured to expire keys from known SSH hosts after
<tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> seconds.
To configure SSSD to known SSH hosts, set <tt>ssh_known_hosts_timeout</tt>
to <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> under the
<tt>[ssh]</tt> section in <tt>/etc/sssd/sssd.conf</tt>. For example:
<pre>[ssh]
ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}
</pre>
rationale: |-
If cached authentication information is out-of-date, the validity of the
authentication information may be questionable.
severity: medium
identifiers:
cce@rhel8: CCE-82442-5
references:
cis-csc: 1,12,15,16,5
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
nist: CM-6(a),IA-5(13)
nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
srg: SRG-OS-000383-GPOS-00166
ocil_clause: 'it does not exist or is not configured properly'
ocil: |-
To verify that SSSD expires known SSH host keys, run the following command:
<pre>$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf</pre>
If configured properly, output should be
<pre>ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</pre>
|
