STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The rhost-based authentication for SSH must be disabled.

DISA Rule

SV-216116r603268_rule

Vulnerability Number

V-216116

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-040350

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

The root role is required.

Modify the sshd_config file

# pfedit /etc/ssh/sshd_config

Locate the line containing:

IgnoreRhosts

Change it to:

IgnoreRhosts yes

Restart the SSH service.

# svcadm restart svc:/network/ssh


This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used, so no additional changes are needed.

Check Contents

Determine if rhost-based authentication is enabled.

# grep "^IgnoreRhosts" /etc/ssh/sshd_config

If the output is produced and it is not:

IgnoreRhosts yes

this is a finding.

If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.

Vulnerability Number

V-216116

Documentable

False

Rule Version

SOL-11.1-040350

Severity Override Guidance

Determine if rhost-based authentication is enabled.

# grep "^IgnoreRhosts" /etc/ssh/sshd_config

If the output is produced and it is not:

IgnoreRhosts yes

this is a finding.

If the IgnoreRhosts line does not exist in the file, the default setting of "Yes" is automatically used and there is no finding.

Check Content Reference

M

Target Key

4021

Comments