Bug 2038977

Summary: Find solution for RHEL8 STIG rules that are meant to disconnect idle SSH users
Product: Red Hat Enterprise Linux 8 Reporter: Gabriel Gaspar Becker <ggasparb>
Component: scap-security-guideAssignee: Gabriel Gaspar Becker <ggasparb>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.6CC: ggasparb, jafiala, lmanasko, mhaicman, peter.vreman, suwu, vpolasek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.SSH timeout rules in STIG profiles configure incorrect options An update of OpenSSH affected the rules in the following Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) profiles: * DISA STIG for RHEL 8 (`xccdf_org.ssgproject.content_profile_stig`) * DISA STIG with GUI for RHEL 8 (`xccdf_org.ssgproject.content_profile_stig_gui`) In each of these profiles, the following two rules are affected: ---- Title: Set SSH Client Alive Count Max to zero CCE Identifier: CCE-83405-1 Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 STIG ID: RHEL-08-010200 Title: Set SSH Idle Timeout Interval CCE Identifier: CCE-80906-1 Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout STIG ID: RHEL-08-010201 ---- When applied to SSH servers, each of these rules configures an option (`ClientAliveCountMax` and `ClientAliveInterval`) that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users when it reaches the timeout configured by these rules. As a workaround, these rules have been temporarily removed from the DISA STIG for RHEL 8 and DISA STIG with GUI for RHEL 8 profiles until a solution is developed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-02 08:13:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gabriel Gaspar Becker 2022-01-10 16:48:51 UTC 
Description of problem:

Rules "Set SSH Idle Timeout Interval" and "Set SSH Client Alive Max Count" won't work the way they used work in previous versions of RHEL8 and an alternative solution needs to be found. Either the following RFE is fulfilled: https://bugzilla.redhat.com/show_bug.cgi?id=2022064 or DISA moves into another direction for the requirement fulfillment.

"Idle" SSH connections will not be terminated anymore no matter what configuration is in place. See https://bugzilla.redhat.com/show_bug.cgi?id=2015828 for more details.
Comment 8 Vojtech Polasek 2022-09-02 08:13:27 UTC 
This BZ is superseded by:
https://bugzilla.redhat.com/show_bug.cgi?id=2122322