CCE-91817-7Platform: cpe:/o:apple:mac_os_x:10.13 | Date: (C)2018-02-21 (M)2023-07-04 |
Set the SSH Idle Timeout Interval and the Timeout for the Login Prompt
SSH should be configured to log users out after a 15 minute interval of inactivity and to only wait 30 seconds before timing out login attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
Parameter:
[Seconds, Maximum_Count, Seconds]
Technical Mechanism:
The SSH daemon ClientAliveInterval option must be set correctly. To check the idle timeout setting for SSH sessions, run the following:
sudo grep ^ClientAliveInterval /etc/sshd_config
If the setting is not '600', this is a finding.
The SSH daemon ClientAliveCountMax option must be set correctly. To ensure the SSH idle timeout will occur when the 'ClientAliveCountMax' is set, run the following command:
sudo grep ^ClientAliveCountMax /etc/sshd_config
If the setting is not 'ClientAliveCountMax 0', this is a finding.
The SSH daemon LoginGraceTime must be set correctly. To check the amount of time that a user can login through SSH, run the following command:
sudo grep ^LoginGraceTime /etc/sshd_config
If the value is not set to '30' or less, this is a finding.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:44279 |