Bug 2038977
Summary: | Find solution for RHEL8 STIG rules that are meant to disconnect idle SSH users | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Gabriel Gaspar Becker <ggasparb> |
Component: | scap-security-guide | Assignee: | Gabriel Gaspar Becker <ggasparb> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | Jan Fiala <jafiala> |
Priority: | unspecified | ||
Version: | 8.6 | CC: | ggasparb, jafiala, lmanasko, mhaicman, peter.vreman, suwu, vpolasek, wsato |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
.SSH timeout rules in STIG profiles configure incorrect options
An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles:
* DISA STIG for RHEL 8 (`xccdf_org.ssgproject.content_profile_stig`)
* DISA STIG with GUI for RHEL 8 (`xccdf_org.ssgproject.content_profile_stig_gui`)
In each of these profiles, the following two rules are affected:
----
Title: Set SSH Client Alive Count Max to zero
CCE Identifier: CCE-83405-1
Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
STIG ID: RHEL-08-010200
Title: Set SSH Idle Timeout Interval
CCE Identifier: CCE-80906-1
Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
STIG ID: RHEL-08-010201
----
When applied to SSH servers, each of these rules configures an option (`ClientAliveCountMax` and `ClientAliveInterval`) that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users when it reaches the timeout configured by these rules. As a workaround, these rules have been temporarily removed from the DISA STIG for RHEL 8 and DISA STIG with GUI for RHEL 8 profiles until a solution is developed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-09-02 08:13:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gabriel Gaspar Becker
2022-01-10 16:48:51 UTC
This BZ is superseded by: https://bugzilla.redhat.com/show_bug.cgi?id=2122322 |