Ssh_techspec.xlsx

© Copyright IBM Corporation, 1997, 2014 - All Rights Reserved

Tech Spec Review

Special Considerations for this Tech Sp

SSH Technical Spec

Document Template version : Version - Release Levels:

Ensure the product versions reflect those supported by the client. Notes

Tech Spec Review Date Reviewed (mm/dd/yy)

Special Considerations for this Tech Spec Server/System name ORACLE RAC

SSH Technical Specification

Version 1.0 25 July 2018 • OpenSSH • F-Secure SSH • SSH Communications Secure Shell • VanDyke VShell for Windows • SunSSH (Solaris Secure Shell) • RemotelyAnywhere for Windows • Attachmate Reflection for Secure IT UNIX Server • Attachmate Reflection for Secure IT Windows Server • Bitvise WinSSHD

supported by the client.

Name(s) of Individuals

Exception to requirement (tech spec reference)

Review Comments:

Role

Customer Requirement

Potential Threat

B=baseline, S=healthcheck and baseline, Foundation (Y/N) I=Informational requirement no requirement to B or S P=Process requirement no requirement to B or S

Section #

Section Heading

System Value/ParameterDescription

Recommended Value

I

Y

AV.1.1.0

Password Requirements

Username/Password Authentication

No requirements in this category

S

Y

AV.1.1.1

Password Requirements

PermitEmptyPasswords Allows login to accounts with empty password strings.

No requirements in this category

no

(OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)

S

Y

AV.1.1.2

Password Requirements

Disallow Blank Passwords

Disallows login to accounts with empty password strings.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.1.3

Password Requirements

Authentication Allows login to accounts with empty password Password - Permit empty strings. passwords (Attachmate RSIT Windows Server Only - OS: Windows)

I

Y

AV.1.2.1.1

Logging

Note

Determines the level of logging.

S

Y

AV.1.2.1.2

Logging

LogLevel

Determines the level of logging.

S

Y

AV.1.2.1.3

Logging

LogLevel

S

Y

AV.1.2.2

Logging

QuietMode

Must not be selected.

On most OS platforms, the standard system access logs are sufficient to (OpenSSH/SunSSH/Attachmate RSIT UNIX Server record the required auditable records. Only - OS: Unix, Linux)

If the OS platform does not record the required auditable records, logging must (OpenSSH/SunSSH/Attachmate RSIT UNIX Server be performed through the syslog Only - OS: Unix, Linux) subsystem. If logging is performed through syslog, the LogLevel must be set to INFO or higher. Must be set to VERBOSE or higher if multiple keys are Determines the level of logging. If anyto DEBUG is specified, the used accesslevel shared IDs. resultant log files must be accessible only (OpenSSH/SunSSH/Attachmate RSIT UNIX Server by the superuser (e.g. root or Only - OS: Unix, Linux) administrator) account in order to maintain privacy of user data. Specifies that only fatal errors should be logged.

no

(F-Secure/SSH Communications Only - OS: Unix, Linux)

S

Y

AV.1.2.3.1

Logging

Log Topic Authentication Determines which event types are logged.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.2.3.2

Logging

Log Topic Error

Determines which event types are logged.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.2.3.3

Logging

Log Topic Forward

Determines which event types are logged.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.2.3.4

Logging

Log Topic Info

Determines which event types are logged.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.2.3.5

Logging

Log Topic SFTP

Determines which event types are logged.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.2.3.6

Logging

Log Topic Warning

Determines which event types are logged.

1

(VanDyke VShell Only - OS: Windows)

S

Y

AV.1.2.4.1

Logging

Server - Logging - Log to Configures logging to the Windows Event Log. Windows Event Log (Bitvise WinSSHD Only - OS: Windows)

If selected, the "Server - Logging Windows Event Log logging level" parameter must be set to at least "Errors, Warnings".

S

Y

AV.1.2.4.2

Logging

Server - Logging - Log to Configures logging to a log file. textual log file (Bitvise WinSSHD Only - OS: Windows)

If selected, the "Server - Logging Textual log file logging level" parameter must be set to at least "Errors, Warnings".

S

Y

AV.1.2.4.3

Logging

Event Logging - Enable Configures logging to the Windows Event Log. logging to Windows Event Viewer (Attachmate RSIT Windows Server Only - OS: Windows)

If selected, must be configured to capture at least "Errors" and "Warnings".

S

Y

AV.1.2.4.4

Logging

Debug Logging - Enable Configures logging to a log file. debug logging to log file (Attachmate RSIT Windows Server Only - OS: Windows)

If selected, must be configured to capture at least "Errors" and "Warnings".

B

Y

AV.1.2.4

Logging

Retain Log Files

None

90 days

I

Y

AV.1.3.0

AntiVirus

No requirements in this category

No requirements in this category

No requirements in this category

B

N

AV.1.4.1

System Settings

KeepAlive

Configures the server to send TCP keepalive messages to the client and cleanup crashed sessions to prevent indefinitely hanging sessions.

yes

(OpenSSH 3.7 and prior/SunSSH/Attachmate RSIT UNIX Server - OS: Unix, Linux)

B

N

AV.1.4.2

System Settings

TCPKeepAlive

Configures the server to send TCP keepalive messages to the client and cleanup crashed sessions to prevent indefinitely hanging sessions. (OpenSSH 3.8 and greater - OS: Unix, Linux)

yes

Agreed to Value

B

N

AV.1.4.3

System Settings

LoginGraceTime

The number of seconds before the server 120 or less and must not be 0 disconnect a session that has not been successfully authenticated. (OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)

B

N

AV.1.4.4

System Settings

MaxConnections

The maximum number of simultaneous sessions that can be open to the server.

100 or less, unless there is a valid need for more simultaneous connections

(F-Secure/SSH Communications Only - OS: Unix, Linux) B

N

AV.1.4.5

System Settings

MaxStartups

The maximum number of simultaneous, unauthenticated sessions that can be open to the server.

100 or less Alternatively, the MaxStartups option can be configured using the "start:rate:full" syntax. The setting for "full" must not (OpenSSH/SunSSH/Attachmate RSIT UNIX Server exceed 100. Only - OS: Unix, Linux)

B

N

AV.1.4.6

System Settings

Keep Alive

Configures the server to send TCP keepalive messages to the client and cleanup crashed sessions to prevent indefinitely hanging sessions.

B

N

AV.1.4.7

System Settings

Authentication Timeout

B

N

AV.1.4.8

System Settings

MaxAuthTries

1

(VanDyke VShell Only - OS: Windows) The number of seconds before the server 120 or less disconnect a session that has not been successfully authenticated. (VanDyke VShell Only - OS: Windows) Specifies the maximum number of authentication attempts permitted per connection.

5 or less

(OpenSSH 3.9 and greater / SunSSH - OS: Unix, Linux)

B

N

AV.1.4.9

System Settings

Maximum Authentication Specifies the maximum number of authentication Retries attempts permitted per connection.

5 or less

(VanDyke VShell Only - OS: Windows)

B

N

AV.1.4.10

System Settings

Session - Keep-alive / The number of seconds of inactivity before the broken session detection server will send a keep-alive request to the client.

60 or less, and must not be 0

(Bitvise WinSSHD Only - OS: Windows)

B

N

AV.1.4.11

System Settings

Session - Login timeout The number of seconds before the server disconnects a session that has not been successfully authenticated.

B

N

AV.1.4.12

System Settings

Session - Maximum login Specifies the maximum number of authentication attempts attempts permitted per connection.

120 or less, and must not be 0

(Bitvise WinSSHD Only - OS: Windows) 5 or less

(Bitvise WinSSHD Only - OS: Windows)

B

N

AV.1.4.13

System Settings

Session - Maximum total The maximum number of simultaneous sessions sessions that can be open to the server.

100 or less

(Bitvise WinSSHD Only - OS: Windows)

B

N

AV.1.4.14

System Settings

AuthKbdInt.Retries

Specifies the maximum number of authentication attempts permitted per connection.

5 or less

(Attachmate RSIT UNIX Server Only - OS: Unix)

B

N

AV.1.4.15

System Settings

Network - Client keep alive

The number of seconds the server waits between sending keepalive messages to the client.

60 or less, and must not be 0

(Attachmate RSIT Windows Server Only - OS: Windows) B

N

AV.1.4.16

System Settings

Authentication - Grace time for completion of authentication process

B

N

AV.1.4.17

System Settings

Authentication Password - Number of password attempts

The number of seconds before the server disconnects a session that has not been successfully authenticated.

120 or less, and must not be 0

(Attachmate RSIT Windows Server Only - OS: Windows) Specifies the maximum number of password authentication attempts permitted per connection.

5 or less

(Attachmate RSIT Windows Server Only - OS: Windows) B

N

AV.1.4.18

System Settings

General - Maximum number of connections

The maximum number of simultaneous sessions that can be open to the server.

100 or less

(Attachmate RSIT Windows Server Only - OS: Windows) B

N

AV.1.5.1

Network Settings

KeyRegenerationInterval The number of seconds that elapse between regenerations of the server's ephemeral key.

3600 or less, and must not be 0

(OpenSSH/SunSSH Only - OS: Unix, Linux)

B

N

AV.1.5.2

Network Settings

Protocol

The SSH protocol(s) that are accepted by the server.

"2", “2,1” or "1,2"

SSH Protocol 1 is known to contain inherent weaknesses. Therefore, Protocol 2 must be enabled. Protocol 1 is permissible only in situations where interoperability issues prevent the use of Protocol 2. (OpenSSH/SunSSH Only - OS: Unix, Linux)

B

N

AV.1.5.3

Network Settings

SSH1ServerKeyTime

The number of seconds that elapse between regenerations of the server's ephemeral key.

3600 or less, and must not be 0

(RemotelyAnywhere Only - OS: Windows)

B

N

AV.1.5.4

Network Settings

SSH2

Configures the server to accept the SSH2 protocol. 1 Protocol 1 is known to contain inherent weaknesses. Therefore, Protocol 2 must be enabled. Protocol 1 is permissible only in situations where interoperability issues prevent the use of Protocol 2.

B

N

AV.1.5.5

Network Settings

GatewayPorts

Specifies whether remote allowed to (RemotelyAnywhere Only hosts - OS: are Windows) connect to ports forwarded for the client. Can be used to bypass firewall controls. (OpenSSH/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)

no

B

B

N

N

AV.1.5.6

AV.1.5.7

Network Settings

Network Settings

Access control Windows groups Access control Windows accounts Access control - Virtual groups Access control - Virtual Permissions - Allow accounts server to client (remote) port forwarding

Configures access controls for users and groups. (Bitvise WinSSHD Only - OS: Windows)

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. Can be used to bypass firewall controls.

The "Permit S2C port forwarding" parameter must not be enabled for any users/groups.

Must not be enabled.

(Attachmate RSIT Windows Server Only - OS: Windows) S

N

AV.1.7.1.1

Identify and Authenticate Users

PermitRootLogin

Permits the root user to login remotely. (OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)

B

N

AV.1.7.1.2

Identify and Authenticate Users

PermitRootLogin forcedcommands PermitRootLogin without-password PermitRootLogin yes

Permits the root user to login remotely.

Public key authentication allows a user to authenticate to a system without the use of a password.

(OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)

May be set to "forced-commands-only" or "without-password" only if mechanisms are in place to determine the identity of the individual accessing the system. Otherwise, must be set to "no".

If public-key authentication is used to access the root account, separate private keys must be used for each individual and logs must be maintained showing which individuals have accessed the root account.

P

N

AV.1.7.2

Identify and Authenticate Users

Public Key Authentication

Keys used for authentication must meet the required bit length value for public key algorithms specified in the base policy

P

N

AV.1.7.3.1

Identify and Authenticate Users

Host-Based Authentication

B

N

AV.1.7.3.2

Identify and Authenticate Users

Host-Based Host-based authentication allows access based on Must not be used to enable host-based Authentication a list of trusted hosts in combination with successful authentication. /etc/hosts.equiv file client-key authentication.

B

N

AV.1.7.3.3

Identify and Authenticate Users

Host-Based Authentication /etc/shosts.equiv file

Host-based authentication allows access based on Must be used if host-based a list of trusted hosts in combination with successful authentication is enabled. This prevents client-key authentication. unintentionally permitting access via the rsh/rlogin/rcp commands.

P

N

AV.1.7.4

Identify and Authenticate Users

PubkeyAuthentication

Permits users to login using public/private key pairs. If set to "yes", the requirements in the "Public Key Authentication" section must (OpenSSH/SunSSH Only - OS: Unix, Linux) be applied.

P

N

AV.1.7.5

Identify and Authenticate Users

RSAAuthentication

Specifies whether pure RSA authentication is allowed.

The key pairs do not need to be updated Host-based authentication allows access based on periodically. All hosts from which the system is tokey beis However, if the private a list of trusted hosts in combination with successful accessed host-based suspectedusing to have been compromised, client-key authentication. authentication bekeys subject the the public and must private musttobe requirements regenerated. of this document.

If set to "yes", the requirements in the "Public Key Authentication" section must be applied.

(OpenSSH/SunSSH Only - OS: Unix, Linux)

P

N

AV.1.7.6

Identify and Authenticate Users

HostbasedAuthentication Specifies whether host-based authentication is allowed.

If set to "yes", the requirements in the "Host-Based Authentication" section must be applied.

(OpenSSH/SunSSH Only - OS: Unix, Linux)

P

N

AV.1.7.7

Identify and Authenticate Users

AllowedAuthentications

Specifies the authentication mechanisms that are allowed.

P

N

AV.1.7.8

Identify and Authenticate Users

P

N

AV.1.7.9

P

N

AV.1.7.10

If the setting contains "publickey", the requirements in the "Public Key Authentication" section must be applied. (F-Secure/SSH Communications/Attachmate RSIT UNIX Server Only - OS: Unix, Linux) If the setting contains "hostbased", the requirements in the "Host-Based Authentication" section must be applied. Authentications Allowed Specifies the authentication mechanisms that are If the setting contains "publickey", the allowed. requirements in the "Public Key Authentication" section must be applied. (VanDyke VShell Only - OS: Windows)

Identify and Authenticate Users

AuthPubkey

Permits users to login using public/private key pairs. If set to 1, the requirements in the "Public Key Authentication" section must be (RemotelyAnywhere Only - OS: Windows) applied.

Identify and Authenticate Users

Access control Windows groups Access control Windows accounts Access control - Virtual groups Access control - Virtual Authentication - Public accounts Key - Public key authentication

Configures access controls for users and groups. (Bitvise WinSSHD Only - OS: Windows)

If any Windows or Virtual users/groups have "Public key authentication" set to "allowed", the requirements in the "Public Key Authentication" section must be applied.

P

N

AV.1.7.11

Identify and Authenticate Users

Permits users to login using public/private key pairs. If the setting is "Allowed" or "Required", the requirements in the "Public Key (Attachmate RSIT Windows Server Only - OS: Authentication" section must be applied. Windows)

P

N

AV.1.8.0.1

Protecting Resources – OSRs

Note

none

I

N

AV.1.8.1.1

Protecting Resources – OSRs

Note

/opt/freeware/

I

N

AV.1.8.1.2

Protecting Resources – OSRs

Note

/usr/

The files in the "Executable and Libraries" section below typically reside in one of these directories.

I

N

AV.1.8.1.3

Protecting Resources – OSRs

Note

/usr/local/

The files in the "Executable and Libraries" section below typically reside in one of these directories.

I

N

AV.1.8.1.4

Protecting Resources – OSRs

Note

/usr/openssh/

The files in the "Executable and Libraries" section below typically reside in one of these directories.

I

N

AV.1.8.1.5

Protecting Resources – OSRs

Note

/usr/ssh/

The files in the "Executable and Libraries" section below typically reside in one of these directories.

I

N

AV.1.8.2.0

Protecting Resources – OSRs

Note

All SSH server configuration files, executables and The Following is a minimum set of SSH libraries must be treated as OSR objects. server files that must be treated as OSRs:

S

N

AV.1.8.2.1

Protecting Resources – OSRs

bin/openssl

OSR Executable and Libraries (OS: Unix/Linux)

Source code must be validated against trusted MD5 or PGP signatures to ensure that the code has not been compromised and to eliminate the threat of compiletime trojan horse attacks. Alternatively, pre-compiled distributions may be used if they originate from a The filessource. in the "Executable and trusted Libraries" section below typically reside in one of these directories.

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.2

Protecting Resources – OSRs

bin/scp

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.3

Protecting Resources – OSRs

bin/scp2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.4

Protecting Resources – OSRs

bin/sftp

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.5

Protecting Resources – OSRs

bin/sftp2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.6

Protecting Resources – OSRs

bin/sftp-server

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.7

Protecting Resources – OSRs

bin/sftp-server2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.8

Protecting Resources – OSRs

bin/slogin

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.9

Protecting Resources – OSRs

bin/ssh

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.10

Protecting Resources – OSRs

bin/ssh2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.11

Protecting Resources – OSRs

bin/ssh-add

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.12

Protecting Resources – OSRs

bin/ssh-add2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.13

Protecting Resources – OSRs

bin/ssh-agent

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.14

Protecting Resources – OSRs

bin/ssh-agent2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.15

Protecting Resources – OSRs

bin/ssh-askpass

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.16

Protecting Resources – OSRs

bin/ssh-askpass2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.17

Protecting Resources – OSRs

bin/ssh-certenroll2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.18

Protecting Resources – OSRs

bin/ssh-chrootmgr

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.19

Protecting Resources – OSRs

bin/ssh-dummy-shell

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.20

Protecting Resources – OSRs

bin/ssh-keygen

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.21

Protecting Resources – OSRs

bin/ssh-keygen2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.22

Protecting Resources – OSRs

bin/ssh-keyscan

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.23

Protecting Resources – OSRs

bin/ssh-pam-client

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.24

Protecting Resources – OSRs

bin/ssh-probe

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.25

Protecting Resources – OSRs

bin/ssh-probe2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.26

Protecting Resources – OSRs

bin/ssh-pubkeymgr

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.27

Protecting Resources – OSRs

bin/ssh-signer

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.28

Protecting Resources – OSRs

bin/ssh-signer2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.29

Protecting Resources – OSRs

lib/libcrypto.a

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.30

Protecting Resources – OSRs

lib/libssh.a

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.31

Protecting Resources – OSRs

lib/libssl.a

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.32

Protecting Resources – OSRs

lib/libz.a

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.33

Protecting Resources – OSRs

lib-exec/openssh/sftpserver

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.34

Protecting Resources – OSRs

lib-exec/openssh/sshkeysign

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.35

Protecting Resources – OSRs

lib-exec/openssh/sshaskpass

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.36

Protecting Resources – OSRs

lib-exec/sftp-server

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.37

Protecting Resources – OSRs

lib-exec/ssh-keysign

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.38

Protecting Resources – OSRs

lib-exec/ssh-rand-helper OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.39

Protecting Resources – OSRs

libexec/openssh/sftpserver

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.40

Protecting Resources – OSRs

libexec/openssh/sshkeysign

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.41

Protecting Resources – OSRs

libexec/openssh/sshaskpass

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.42

Protecting Resources – OSRs

libexec/sftp-server

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.43

Protecting Resources – OSRs

libexec/ssh-keysign

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.44

Protecting Resources – OSRs

libexec/ssh-rand-helper

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.45

Protecting Resources – OSRs

sbin/sshd

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.46

Protecting Resources – OSRs

sbin/sshd2

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.47

Protecting Resources – OSRs

sbin/sshd-check-conf

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.49

Protecting Resources – OSRs

/lib/svc/method/sshd

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.2.50

Protecting Resources – OSRs

/usr/lib/ssh/sshd

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.1

Protecting Resources – OSRs

/ OSR Configuration File etc/openssh/sshd_config (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.2

Protecting Resources – OSRs

/etc/ssh/sshd_config

OSR Configuration File (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.3

Protecting Resources – OSRs

/etc/ssh/sshd2_config

OSR Configuration File (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.4

Protecting Resources – OSRs

/etc/ssh2/sshd_config

OSR Configuration File (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.5

Protecting Resources – OSRs

/etc/ssh2/sshd2_config

OSR Configuration File (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.6

Protecting Resources – OSRs

/etc/sshd_config

OSR Configuration File (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.7

Protecting Resources – OSRs

/etc/sshd2_config

OSR Configuration File (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.8

Protecting Resources – OSRs

/ OSR Configuration File usr/local/etc/sshd_config (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.9

Protecting Resources – OSRs

/ OSR Configuration File usr/local/etc/sshd2_confi (OS: Unix/Linux) g

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.3.10

Protecting Resources – OSRs

/usr/lib/ssh/ssh-keysign

OSR Executable and Libraries (OS: Unix/Linux)

If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.

S

N

AV.1.8.4.1

Protecting Resources – OSRs

C:\Program Files\FSecure\

OSR (OS: Windows)

S

N

AV.1.8.4.2

Protecting Resources – OSRs

C:\Program Files\OpenSSH\

OSR (OS: Windows)

S

N

AV.1.8.4.3

Protecting Resources – OSRs

C:\Program Files\SSH Communications Security\

OSR (OS: Windows)

S

N

AV.1.8.4.4

Protecting Resources – OSRs

C:\Program Files\VShell\ OSR (OS: Windows)

S

N

AV.1.8.4.5

Protecting Resources – OSRs

C:\Program Files\ RemotelyAnywhere\

S

N

AV.1.8.4.6

Protecting Resources – OSRs

C:\Program Files\Bitvise OSR WinSSHD\ (OS: Windows)

S

N

AV.1.8.4.7

Protecting Resources – OSRs

C:\Program OSR Files\Attachmate\RSecur (OS: Windows) e\

S

N

AV.1.8.5.1

Protecting Resources – OSRs

C:\Cygwin\bin\scp.exe

OSR (OS: Windows)

S

N

AV.1.8.5.2

Protecting Resources – OSRs

C:\Cygwin\bin\ssh.exe

OSR (OS: Windows)

S

N

AV.1.8.5.3

Protecting Resources – OSRs

C:\Cygwin\bin\sshadd.exe

OSR (OS: Windows)

S

N

AV.1.8.5.4

Protecting Resources – OSRs

C:\Cygwin\bin\sshagent.exe

OSR (OS: Windows)

S

N

AV.1.8.5.5

Protecting Resources – OSRs

C:\Cygwin\bin\ssh-host- OSR config (OS: Windows)

S

N

AV.1.8.5.6

Protecting Resources – OSRs

C:\Cygwin\bin\sshkeygen.exe

If the directory exists, the directory and all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the Read file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read

OSR (OS: Windows)

OSR (OS: Windows)

S

N

AV.1.8.5.7

Protecting Resources – OSRs

C:\Cygwin\bin\sshkeyscan.exe

S

N

AV.1.8.5.8

Protecting Resources – OSRs

C:\Cygwin\bin\ssh-userconfig

S

N

AV.1.8.5.10

Protecting Resources – OSRs

C:\Cygwin\etc\defaults\et c\sshd_config

S

N

AV.1.8.5.11

Protecting Resources – OSRs

C:\Cygwin\etc\sshd_conf ig

S

N

AV.1.8.5.12

Protecting Resources – OSRs

C:\Cygwin\usr\sbin\sshkeysign.exe

S

N

AV.1.8.5.13

Protecting Resources – OSRs

C:\Cygwin\usr\sbin\sshd. exe

S

N

AV.1.8.5.14

Protecting Resources – OSRs

C:\Cygwin\usr\sbin\sftpserver.exe

B

N

AV.1.9.1

Protecting Resources - User Resources

PermitUserEnvironment

OSR (OS: Windows)

If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read Permits processing of user environment files, which no may allow users to bypass access restrictions. (OpenSSH 3.5/SunSSH 1.2 and greater - OS: Unix, Linux)

B

N

AV.1.9.2

Protecting Resources - User Resources

StrictModes

Configures SSH to verify ownership and permissions of user files and home directories before allowing logins.

yes

(OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)

B

N

AV.1.9.3

Protecting Resources - User Resources

AcceptEnv

Permits passing of user environment variables from Must not contain variables matching any the client to the server, which may allow users to of the following patterns: TERM, PATH, bypass access restrictions. HOME, MAIL, SHELL, LOGNAME, USER, USERNAME, _RLD*, DYLD_*, (OpenSSH 3.9 and greater - OS: Unix, Linux) LD_*, LDR_*, LIBPATH, SHLIB_PATH

B

N

AV.2.0.1.1

Business Use Notice

Business Use Notice

None

The PrintMotd option must be set to “yes”.

B

N

AV.2.0.1.2

Business Use Notice

Business use Notice VanDyke Vshell

None

the "MOTD Path" setting must be set to the path of a file that contains the required business use notice.

B

N

AV.2.0.1.3

Business Use Notice

Business use Notice Bitvise WinSSHD

None

The "Session - Banner message file" setting must be set to the path of a file that contains the required business use notice.

B

N

AV.2.0.1.4

Business Use Notice

Business use Notice Attachmate RSIT Windows Server

None

The "General - Banner message file" setting must be set to the path of a file that contains the required business use notice.

B

N

AV.2.1.1.1

Encryption

Data Transmission

None

SSL / OpenSSL: If SSH protocol version 1 is enabled, the required bit length value for public key ciphers specified in the policy must be specified in the ServerKeyBits option.

B

N

AV.2.1.1.2

Encryption

Data Transmission - All None native encryption ciphers

Must meet the minimum bit length value specified in the base policy

B

N

AV.2.1.1.3

Encryption

Data Transmission DES algorithm

None

The DES algorithm uses 56-bit keys and is relatively easy to compromise. Therefore it must not be used.

B

N

AV.2.1.1.4

Encryption

Data Transmission Server host keys

None

Must meet the minimum bit length value for public key ciphers specified in the base policy

B

N

AV.2.1.1.5

Encryption

Algorithms - Encryption

Configures the encryption algorithms that are used. The "Algorithms - Encryption" settings must not have "none" selected. (Bitvise WinSSHD Only - OS: Windows)

B

N

AV.2.1.1.6

Encryption

Encryption - Ciphers

Configures the encryption algorithms that are used. The "Encryption - Ciphers" setting must not be set to "None" (Attachmate RSIT Windows Server - OS: Windows)

B

N

AV.2.1.1.7

Encryption

Authentication - Public Key - Public key minimum length

Configures the minimum length for public keys.

I

N

AV.2.1.2

Encryption

File/Database Storage

No requirements in this category

B

N

AV.2.2.1.1

Passphrases

Private Key Passphrases passphrase

A passphrase must be assigned to all private keys that are used for user authentication and must not be shared.

B

N

AV.2.2.1.2

Passphrases

Private Key Passphrases passphrase

Passphrases must have a minimum number of 5 words each of minimum length of 4 characters and are exempt from the syntax rule for mix alphabetic and non-alphabetic characters. All other password rules are applicable.

The "Authentication - Public Key - Public key minimum length" setting must be (Attachmate RSIT Windows Server - OS: Windows) 1024 or greater.

No requirements in this category

B

N

AV.2.2.1.3

Passphrases

Private Key passphrase Passphrases - systemto-system authentication

A null passphrase may be used as long as the authorized_keys file limits access only from specific hosts by specifying the "from" option with the appropriate value. In order to prevent the keys from being used for interactive user logins, the private key file on the originating hosts Private used gain access must bekeys owned by to application andto IDs having administrative system system security users/groups, which doornot have authority must be accessible onlylogin by remote, password-authenticated users that and havemay security or capability, only administrative be readable and system authority. Any authorized_keys writable by the file owner. or authorized_keys2 file that grants access to an ID having security No requirements in this category administrative or system authority must limit access only from specific hosts by specifying the "from" option with the appropriate value.

B

N

AV.2.2.1.4

Passphrases

Private Key Passphrases - security administrative and system authority

passphrase

I

N

AV.3.0.0

Process Exceptions

No requirements in this category

No requirements in this category

I

Y

AV.5.0.0

Privileged Authorizations/Userids

Note

Description of privileged Ids : The rows in section 5 No value to be set below describe the list of UserIDs or groups that have Privileged authority.

B

Y

AV.5.0.1

Privileged Authorizations/Userids

The user ID used for privilege separation (typically called "sshd" on Unix systems)

None

I

Y

AV.5.0.2

Privileged Authorizations/Userids

Note

No value to be set

Must not be a member of any group that grants system or security administrative authority, as defined by the applicable OS Technical Specification. May be a member of the "sshd" group, regardless of the associated GID, as this SSH the authentication facilities of groupuses is not considered to grant system the operating system on which it runs or security administrative authority.