STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The SUSE operating system SSH daemon must use privilege separation.

DISA Rule

SV-217278r603262_rule

Vulnerability Number

V-217278

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

SLES-12-030240

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the SUSE operating system SSH daemon is configured to use privilege separation.

Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes" or "sandbox":

UsePrivilegeSeparation yes

Check Contents

Determine the version of SSH using the following command:

# ssh -V
OpenSSH_7.9p1

If the version of SSH is 7.5 or newer, this is Not Applicable.

Verify the SUSE operating system SSH daemon is configured to use privilege separation.

Check that the SUSE operating system SSH daemon performs privilege separation with the following command:

# sudo grep -i usepriv /etc/ssh/sshd_config

UsePrivilegeSeparation yes

If the "UsePrivilegeSeparation" keyword is not set to "yes" or "sandbox", is missing, or the returned line is commented out, this is a finding.

Vulnerability Number

V-217278

Documentable

False

Rule Version

SLES-12-030240

Severity Override Guidance

Determine the version of SSH using the following command:

# ssh -V
OpenSSH_7.9p1

If the version of SSH is 7.5 or newer, this is Not Applicable.

Verify the SUSE operating system SSH daemon is configured to use privilege separation.

Check that the SUSE operating system SSH daemon performs privilege separation with the following command:

# sudo grep -i usepriv /etc/ssh/sshd_config

UsePrivilegeSeparation yes

If the "UsePrivilegeSeparation" keyword is not set to "yes" or "sandbox", is missing, or the returned line is commented out, this is a finding.

Check Content Reference

M

Target Key

4033

Comments