Download
| Alert*
|
CCE-96009-6
Description The INFO parameter specifies that login and logout activity will be logged. Rationale SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that i ... CCE-96046-8 The pam_pwquality module's 'ucredit=' parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length cre ... CCE-96022-9 To ensure the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, edit '/etc/ssh/sshd_config' as follows: 'ClientAliveCountMax 0' CCE-96054-2 Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be c ... CCE-96057-5 The pam_pwquality module's 'ocredit=' parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquali ... CCE-96056-7 The pam_pwquality module's 'minlen' parameter controls requirements for minimum characters required in a password. Add 'minlen=15' after pam_pwquality to set minimum password length requirements. CCE-96055-9 Do not allow users to reuse recent passwords. This can be accomplished by using the 'remember' option for the 'pam_unix' PAM module. In the file '/etc/pam.d/system-auth', append 'remember=5' to the line which refers to the 'pam_unix.so' module, as shown: 'password sufficient pam_unix.so CCE-96174-8 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. I ... CCE-96175-5 The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt th ... CCE-96038-5 The 'gpgcheck' option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in '/etc/yum.conf' in the '[main]' section: 'gpgcheck=1' CCE-96010-4 Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in '/etc/ssh/sshd_config' demonstrates use of FIPS-approved ciphers: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc, ... CCE-96089-8 Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. CCE-96168-0 By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. The pam_tally2.so module maintains a count of attempted accesses. This includes user name ent ... CCE-96053-4 The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 60 days. Rationale: The window of opportunity for an attacker to leverage compromised ... CCE-96051-8 The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days. Rationale: By ... CCE-96019-5 The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ... |
