1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
|
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_Gentoo-Security-Benchmark-OpenSSH-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
<status date="2012-07-14">draft</status>
<title>Hardening OpenSSH</title>
<description>
The OpenSSH server offers remote Secure Shell services towards your users. This benchmark
focuses on the hardening of OpenSSH within a Gentoo Hardened environment.
</description>
<platform idref="cpe:/o:gentoo:linux"/>
<version>1</version>
<model system="urn:xccdf:scoring:default"/>
<model system="urn:xccdf:scoring:flat"/>
<Profile id="xccdf_org.gentoo.dev.swift_profile_default">
<title>OpenSSH server setup settings</title>
<description>
Profile matching all OpenSSH hardening rules
</description>
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="true" />
<select idref="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="true" />
</Profile>
<Group id="xccdf_org.gentoo.dev.swift_group_intro">
<title>Introduction</title>
<description>
The OpenSSH service is one of the most used SSH providing services.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
<title>Using this guide</title>
<description>
The guide you are currently reading is the guide generated from this SCAP
content (more specifically, the XCCDF document) using <h:b>openscap</h:b>,
a free software implementation for handling SCAP content. Within Gentoo,
the package <h:code>app-forensics/openscap</h:code> provides the tools, and
the following command is used to generate the HTML output:
<h:br />
<h:pre>### Command to generate this guide ###
# <h:b>oscap xccdf generate guide openssh-xccdf.xml > guide-openssh-xccdf.html</h:b>
</h:pre>
<h:br />
Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
The two files combined allow you to automatically validate various settings as
documented in the benchmark.
<h:br />
<h:br />
You can test the benchmark against your configuration.
<h:pre>### Testing the rules mentioned in the XCCDF document ###
# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default openssh-xccdf.xml</h:b></h:pre>
<h:br />
To generate a full report in HTML as well, you can use the next command:
<h:pre>### Testing the rules and generating an HTML report ###
# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-openssh-xccdf.xml --report report-openssh-xccdf.html openssh-xccdf.xml</h:b></h:pre>
<h:br />
<h:br />
The benchmark is also available as data stream. In this case, you do not
need to provide the various files - all you need is the benchmark file.
For instance:
<h:pre>### Testing the rules based on the data stream
# <h:b>oscap xccdf eval --profile xccdf_org.gentoo.dev.swift_profile_default openssh-ds.xml</h:b></h:pre>
<h:br />
Finally, this benchmark will suggest some settings which you do not want
to enable. That is perfectly fine - even more, some settings might even
raise eyebrows left and right. We'll try to document the reasoning behind
the settings but you are free to deviate from them. If that is the case,
you might want to create your own profile which only contains the rules
you want checked. You can then use that profile instead of the Default one.
</description>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
<title>Available XCCDF Profiles</title>
<description>
As mentioned earlier, the XCCDF document supports multiple profiles. For the time
being, one profile is defined:
<h:br />
<h:ul>
<h:li>Default contains all mentioned tests</h:li>
</h:ul>
Substitute the profile information in the commands above with the profile you want to test on.
</description>
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config">
<title>Configuration Settings</title>
<description>
In this section, we look at the configuration settings of an OpenSSH service
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default">
<title>Default OpenSSH settings</title>
<description>
OpenSSH comes with some sane defaults to start with. These should not be touched.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhosts">
<title>Ignore Rhosts</title>
<description>
Historically, users could define a <h:code>.rhosts</h:code> or <h:code>.shosts</h:code>
file in which they mention the systems from which they log on to the system (the client
hosts). When the user then logs on from one of these remote locations, the shell service
would not ask for password authentication and just automatically log in the user.
<h:br />
<h:br />
The shell service treats <h:code>.shosts</h:code> mentioned hosts a bit different: it first
checks that hosts identity using some public key authentication scheme (in which case the
host keys of the clients are placed in <h:code>/etc/ssh/ssh_known_hosts</h:code> or
<h:code>~/.ssh/known_hosts</h:code>).
<h:br />
<h:br />
This is however a very insecure setup and can be easily circumvented. It only performs
host-based authentication, not user authentication, and in case of the <h:code>.rhosts</h:code>
file this host-based authentication is only based on the hostname/IP matching.
<h:br />
<h:br />
For this reason, support for the <h:code>.rhosts</h:code> and <h:code>.shosts</h:code>
files is by default disabled.
<h:br />
<h:br />
<h:pre>### /etc/ssh/sshd_config : IgnoreRhosts
# If set, IgnoreRhosts must be set to yes (which is the default)
IgnoreRhosts yes</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-rhosts -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-rhosts -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhostsrsa">
<title>Do not allow RSA Host Authentication</title>
<description>
As part of the Rhosts implementation, OpenSSH supports using RSA authentication for remote hosts.
With RSA authentication enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
files need to be authenticated based on their RSA key. This applies to the SSH protocol version 1 only.
<h:br />
<h:br />
As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
this option is by default disabled.
<h:br />
<h:pre>### /etc/ssh/sshd_config : RhostsRSAAuthentication
# If set, RhostsRSAAuthentication must be set to "no" (which is the default).
RhostsRSAAuthentication no</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-rrsa -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-rrsa -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-hostbased">
<title>Do not allow Host-based Authentication</title>
<description>
As part of the Rhosts implementation, Ope SSH supports using public key authenticatoin for remote hosts.
With this enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
files need to be authenticated based on their public key. This applies to the SSH protocol version 2 only.
<h:br />
<h:br />
As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
this option is by default disabled.
<h:br />
<h:pre>### /etc/ssh/sshd_config : HostbasedAuthentication
# If set, HostbasedAuthentication must be set to "no" (which is the default)
HostbasedAuthentication no</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-hostbased -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-hostbased -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-emptypassword">
<title>Do not Permit Empty Passwords</title>
<description>
If password-based authentication is used, it is wise not to allow empty passwords.
<h:br />
<h:br />
Allowing empty passwords within your network makes the services <h:em>very</h:em> vulnerable
to exploit, even when the software is fully up-to-date.
<h:br />
<h:pre>### /etc/ssh/sshd_config : PermitEmptyPasswords
# If set, PermitEmptyPasswords must be set to "no" (which is the default).
PermitEmptyPasswords no</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-empty -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-empty -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-pam">
<title>Use PAM</title>
<description>
PAM (Pluggable Authentication Modules) is a powerful framework for managing
authentication of users and services in a flexible manner. By default, OpenSSH
uses PAM for the authentication of users.
<h:br />
<h:br />
One of the many advantages of PAM is that you can add in additional rules you want
to enforce during the authentication. You can limit access based on login count (or number of failures),
use centralized authentication repositories (like OpenLDAP), allow access only during specific
time windows, etc.
<h:br />
<h:br />
It is strongly advised to use PAM for SSH authentication too (but do manage the PAM configuration
properly!) Be aware though that the authentication services themselves (is the user who he sais
he is) of PAM are not used if public key authentication is used. The other services, which include
the access controls mentioned earlier, are still consulted though.
<h:br />
<h:pre>### /etc/ssh/sshd_config : UsePAM
# If set, UsePAM must be set to "yes" (which is the default)
UsePAM yes</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-pam -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-pam -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-protocol2">
<title>Only use version 2 of the SSH protocol</title>
<description>
The first version of the SSH protocol has been found insecure: TODO.
<h:br />
<h:br />
For this reason, it is strongly advised to use version 2 of the protocol only. This is also
the default for OpenSSH.
<h:br />
<h:pre>### /etc/ssh/sshd_config : Protocol
# If set, Protocol must be set to 2 only (which is the default)
Protocol 2</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-protocol -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-protocol -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-privsep">
<title>Use privilege separation</title>
<description>
With privilege separation enabled, the SSH daemon has a tiny footprint running as root,
whereas the rest of the application runs as an unprivileged process to deal with the
incoming network traffic. This can be tuned with <h:code>UsePrivilegeSeparation yes</h:code>
which is the default for OpenSSH.
<h:br />
<h:pre>### /etc/ssh/sshd_config : UsePrivilegeSeparation
# If set, UsePrivilegeSeparation must be set to yes (which is the default)
UsePrivilegeSeparation yes</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-useprivsep -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-useprivsep -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-x11fwd">
<title>Disable X11 forwarding</title>
<description>
SSH supports forwarding X11 packets, so X11 applications started on the remote system have their
display shown on the client. This behavior is by default disabled.
<h:br />
<h:pre>### /etc/ssh/sshd_config : X11Forwarding
# If set, X11Forwarding must be set to no (which is the default)
X11Forwarding no</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-nox11fwd -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-nox11fwd -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-default-strictmode">
<title>Enable strict mode</title>
<description>
When <h:code>StrictModes yes</h:code> is enabled, the SSH daemon will only allow a remote user to
log on when some of the important files in that users' home directory have the proper privileges and
ownership. This behavior is by default enabled.
<h:br />
<h:pre>### /etc/ssh/sshd_config : StrictModes
# If set, StrictModes must be set to yes (which is the default)
StrictModes yes</h:pre>
</description>
<!-- @@GEN START rule-sshd-def-strictmode -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-def-strictmode -->
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-auth">
<title>Authentication-related settings</title>
<description>
Being a remote shell service, authentication is one of the main features that OpenSSH provides.
A few settings help us in hardening the SSH server even further.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_config-auth-noroot">
<title>Disable root logins</title>
<description>
As root is one of the most powerful accounts, direct access to root should be limited. It is
advised that, if a process needs root privileges, it uses a functional account which has the
right to call one or a few commands as root, but nothing else.
<h:br />
<h:br />
With OpenSSH, it is possible to prohibit direct root access towards the system if feasible within
your architecture. This can be accomplished using the <h:code>PermitRootLogin no</h:code> directive.
If you need root logins, consider only allowing specified command access (forced-commands-only).
<h:br />
<h:pre>### /etc/ssh/sshd_config : PermitRootLogin
# Set this to "no" or, if needed, "forced-commands-only"
PermitRootLogin no</h:pre>
</description>
<!-- @@GEN START rule-sshd-norootlogin -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="false">
<title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
<description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:1" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-norootlogin -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nopassword">
<title>Use public key authentication</title>
<description>
By default, OpenSSH uses interactive, keyboard-based password logins. One intrinsic problem with
passwords is that they can be weak, but also that hacked passwords can be used from other locations.
<h:br />
<h:br />
A safer approach for remote shell invocation is to use a keypair: the key is much stronger than most
passwords, making brute-force improbably and dictionary-attacks useless. The private key is only
known by you (on your system) and optionally (but preferably) protected by a (strong) passphraze so that
adversaries that force access to your system can still not use your private key.
<h:br />
<h:br />
Such a keypair an be generated by the users using <h:b>ssh-keygen -t dsa</h:b> after which the private and
public keys are stored in <h:code>~/.ssh</h:code>
<h:br />
<h:br />
On the OpenSSH server level, you can force the use of public key authentication (and thus deny
keyboard-interactive password logins) using <h:code>PasswordAuthentication no</h:code>.
<h:br />
<h:pre>### /etc/ssh/sshd_config : PasswordAuthentication
# Set this to "no"
PasswordAuthentication no</h:pre>
</description>
<!-- @@GEN START rule-sshd-nopasswordauth -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="false">
<title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
<description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-nopasswordauth -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nochallengeresponse">
<title>Disable ChallengeResponseAuthentication</title>
<description>
In OpenSSH, a (confusing) parameter called <h:code>ChallengeResponseAuthentication</h:code>
is available (and by default enabled). Many users might believe that this implements a more secure
authentication method (based on a challenge and a token that need to be verified - i.e. multi-factor
authentication). However, in case of this parameter, this isn't true.
<h:br />
<h:br />
The <h:code>ChallengeResponseAuthentication</h:code> setting enables <h:em>TIS Challenge/Response</h:em>
in SSH protocol version 1, and keyboard-interactive in SSH protocol v2. Hence, in our case, it is best
set disabled as we do not want regular password authentication to be enabled (and don't use protocol
version 1).
<h:br />
<h:pre>### /etc/ssh/sshd_config : ChallengeResponseAuthentication
# Set this to "no"
ChallengeResponseAuthentication no</h:pre>
</description>
<!-- @@GEN START rule-sshd-nochallengeresponse -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="false">
<title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
<description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-nochallengeresponse -->
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-acl">
<title>Access control related settings</title>
<description>
By default, OpenSSH allows access from any location and by any user who gets authenticated properly.
However, it is safer if you can restrict access from hosts that are allowed to access the SSH service
(and not other hosts) as well as users that are known to access the system remotely.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_config-acl-allowgroup">
<title>Only allow specific group(s) access</title>
<description>
Not every user on your system needs to be able to remotely log on to the system. Many
users on your system are local-only, either because they are services accounts, or
because the users are only meant to log on directly (or through another service).
<h:br />
<h:br />
With OpenSSH, you can limit SSH access to users defined in a limited set of (Unix) groups.
It is recommended to define a Unix group (like <h:code>ssh</h:code> if that isn't used by the
service daemon itself) in which those users are defined, and then only allow SSH access
for this group.
<h:br />
<h:pre>### /etc/ssh/sshd_config : AllowGroup
# Set this to the unix group whose members are allowed access
AllowGroup ssh</h:pre>
</description>
<!-- @@GEN START rule-sshd-allowgroup -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="false">
<title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
<description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-allowgroup -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-acl-hosts">
<title>Only allow specific host(s) access</title>
<description>
Not every host on your network (or beyond) needs access to your system. On the contrary, most
hosts probably shouldn't have SSH access to your system.
<h:br />
<h:br />
With a service called <h:em>tcpwrappers</h:em> OpenSSH allows administrators to define the hosts
allowed access (or explicitly not allowed access) in the <h:code>/etc/hosts.allow</h:code> and
<h:code>/etc/hosts.deny</h:code>.
<h:br />
<h:br />
For a good secure setting, it is recommended to disallow access from any host, and then explicitly grant
access from a select set of hosts (or subnetworks).
<h:br />
<h:pre>### /etc/hosts.allow
# Give the list of allowed hosts or networks
sshd: 192.168.1.0/24</h:pre><h:br />
<h:pre>### /etc/hosts.deny
# Deny access by default from everywhere
sshd: ALL</h:pre>
</description>
<!-- @@GEN START rule-sshd-hostsallow -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="false">
<title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
<description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-hostsallow -->
<!-- @@GEN START rule-sshd-hostsdeny -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="false">
<title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
<description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-hostsdeny -->
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-acl-listen">
<title>Only listen on proper interfaces</title>
<description>
By default, OpenSSH listens on all available interfaces. In many cases though, this isn't necessary.
<h:br />
<h:br />
Multihomed systems (i.e. systems with multiple network interfaces) usually only use a single interface
for the administrative access, whereas the other interface is to connect to the Internet or disclose the
"business applications".
<h:br />
<h:br />
On dual stack systems (i.e. systems with an IPv4 and IPv6 stack) the IPv6 (or IPv4) address might not be
in use, or not for the administrative access (like through OpenSSH). In these cases, it is wise not to have
OpenSSH listen on these addresses either.
<h:br />
<h:pre>## /etc/ssh/sshd_config : ListenAddress
# Define a ListenAddress, but do not set it to "any address"
# (which is 0.0.0.0 in IPv4 and :: in IPv6)
ListenAddress 192.168.100.121</h:pre>
</description>
<!-- @@GEN START rule-sshd-listen -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="false">
<title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
<description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-listen -->
<!-- @@GEN START rule-sshd-listen4 -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-listen4 -->
<!-- @@GEN START rule-sshd-listen6 -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="false">
<title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
<description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-listen6 -->
</Group>
</Group>
<Group id="xccdf_org.gentoo.dev.swift_group_config-use">
<title>Disable unused settings</title>
<description>
OpenSSH has a few more options that it supports. If you, however, have no need for these options,
it is safer to have them disabled. Potential vulnerabilities that might be discovered later on these
options then have no effect on your system.
</description>
<Group id="xccdf_org.gentoo.dev.swift_group_config-use-tcpfwd">
<title>Disable TCP forwarding</title>
<description>
SSH supports "tunneling", where packets are forwarded over a (partially) secure channel towards
another location. If you do not need this, disable TCP forwarding through <h:code>AllowTcpForwarding no</h:code>
<h:br />
<h:pre>### /etc/ssh/sshd_config : AllowTcpForwarding
# If not needed, disable TCP forwarding
AllowTcpForwarding no</h:pre>
</description>
<!-- @@GEN START rule-sshd-notcpfwd -->
<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="false">
<title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
<description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="openssh-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sshd-notcpfwd -->
</Group>
</Group>
</Group>
</Benchmark>
|