© Copyright IBM Corporation, 1997, 2014 - All Rights Reserved
Tech Spec Review
Special Considerations for this Tech Sp
SSH Technical Spec
Document Template version : Version - Release Levels:
Ensure the product versions reflect those supported by the client. Notes
Tech Spec Review Date Reviewed (mm/dd/yy)
Special Considerations for this Tech Spec Server/System name ORACLE RAC
SSH Technical Specification
Version 1.0 25 July 2018 • OpenSSH • F-Secure SSH • SSH Communications Secure Shell • VanDyke VShell for Windows • SunSSH (Solaris Secure Shell) • RemotelyAnywhere for Windows • Attachmate Reflection for Secure IT UNIX Server • Attachmate Reflection for Secure IT Windows Server • Bitvise WinSSHD
supported by the client.
Name(s) of Individuals
Exception to requirement (tech spec reference)
Review Comments:
Role
Customer Requirement
Potential Threat
B=baseline, S=healthcheck and baseline, Foundation (Y/N) I=Informational requirement no requirement to B or S P=Process requirement no requirement to B or S
Section #
Section Heading
System Value/ParameterDescription
Recommended Value
I
Y
AV.1.1.0
Password Requirements
Username/Password Authentication
No requirements in this category
S
Y
AV.1.1.1
Password Requirements
PermitEmptyPasswords Allows login to accounts with empty password strings.
No requirements in this category
no
(OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)
S
Y
AV.1.1.2
Password Requirements
Disallow Blank Passwords
Disallows login to accounts with empty password strings.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.1.3
Password Requirements
Authentication Allows login to accounts with empty password Password - Permit empty strings. passwords (Attachmate RSIT Windows Server Only - OS: Windows)
I
Y
AV.1.2.1.1
Logging
Note
Determines the level of logging.
S
Y
AV.1.2.1.2
Logging
LogLevel
Determines the level of logging.
S
Y
AV.1.2.1.3
Logging
LogLevel
S
Y
AV.1.2.2
Logging
QuietMode
Must not be selected.
On most OS platforms, the standard system access logs are sufficient to (OpenSSH/SunSSH/Attachmate RSIT UNIX Server record the required auditable records. Only - OS: Unix, Linux)
If the OS platform does not record the required auditable records, logging must (OpenSSH/SunSSH/Attachmate RSIT UNIX Server be performed through the syslog Only - OS: Unix, Linux) subsystem. If logging is performed through syslog, the LogLevel must be set to INFO or higher. Must be set to VERBOSE or higher if multiple keys are Determines the level of logging. If anyto DEBUG is specified, the used accesslevel shared IDs. resultant log files must be accessible only (OpenSSH/SunSSH/Attachmate RSIT UNIX Server by the superuser (e.g. root or Only - OS: Unix, Linux) administrator) account in order to maintain privacy of user data. Specifies that only fatal errors should be logged.
no
(F-Secure/SSH Communications Only - OS: Unix, Linux)
S
Y
AV.1.2.3.1
Logging
Log Topic Authentication Determines which event types are logged.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.2.3.2
Logging
Log Topic Error
Determines which event types are logged.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.2.3.3
Logging
Log Topic Forward
Determines which event types are logged.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.2.3.4
Logging
Log Topic Info
Determines which event types are logged.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.2.3.5
Logging
Log Topic SFTP
Determines which event types are logged.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.2.3.6
Logging
Log Topic Warning
Determines which event types are logged.
1
(VanDyke VShell Only - OS: Windows)
S
Y
AV.1.2.4.1
Logging
Server - Logging - Log to Configures logging to the Windows Event Log. Windows Event Log (Bitvise WinSSHD Only - OS: Windows)
If selected, the "Server - Logging Windows Event Log logging level" parameter must be set to at least "Errors, Warnings".
S
Y
AV.1.2.4.2
Logging
Server - Logging - Log to Configures logging to a log file. textual log file (Bitvise WinSSHD Only - OS: Windows)
If selected, the "Server - Logging Textual log file logging level" parameter must be set to at least "Errors, Warnings".
S
Y
AV.1.2.4.3
Logging
Event Logging - Enable Configures logging to the Windows Event Log. logging to Windows Event Viewer (Attachmate RSIT Windows Server Only - OS: Windows)
If selected, must be configured to capture at least "Errors" and "Warnings".
S
Y
AV.1.2.4.4
Logging
Debug Logging - Enable Configures logging to a log file. debug logging to log file (Attachmate RSIT Windows Server Only - OS: Windows)
If selected, must be configured to capture at least "Errors" and "Warnings".
B
Y
AV.1.2.4
Logging
Retain Log Files
None
90 days
I
Y
AV.1.3.0
AntiVirus
No requirements in this category
No requirements in this category
No requirements in this category
B
N
AV.1.4.1
System Settings
KeepAlive
Configures the server to send TCP keepalive messages to the client and cleanup crashed sessions to prevent indefinitely hanging sessions.
yes
(OpenSSH 3.7 and prior/SunSSH/Attachmate RSIT UNIX Server - OS: Unix, Linux)
B
N
AV.1.4.2
System Settings
TCPKeepAlive
Configures the server to send TCP keepalive messages to the client and cleanup crashed sessions to prevent indefinitely hanging sessions. (OpenSSH 3.8 and greater - OS: Unix, Linux)
yes
Agreed to Value
B
N
AV.1.4.3
System Settings
LoginGraceTime
The number of seconds before the server 120 or less and must not be 0 disconnect a session that has not been successfully authenticated. (OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)
B
N
AV.1.4.4
System Settings
MaxConnections
The maximum number of simultaneous sessions that can be open to the server.
100 or less, unless there is a valid need for more simultaneous connections
(F-Secure/SSH Communications Only - OS: Unix, Linux) B
N
AV.1.4.5
System Settings
MaxStartups
The maximum number of simultaneous, unauthenticated sessions that can be open to the server.
100 or less Alternatively, the MaxStartups option can be configured using the "start:rate:full" syntax. The setting for "full" must not (OpenSSH/SunSSH/Attachmate RSIT UNIX Server exceed 100. Only - OS: Unix, Linux)
B
N
AV.1.4.6
System Settings
Keep Alive
Configures the server to send TCP keepalive messages to the client and cleanup crashed sessions to prevent indefinitely hanging sessions.
B
N
AV.1.4.7
System Settings
Authentication Timeout
B
N
AV.1.4.8
System Settings
MaxAuthTries
1
(VanDyke VShell Only - OS: Windows) The number of seconds before the server 120 or less disconnect a session that has not been successfully authenticated. (VanDyke VShell Only - OS: Windows) Specifies the maximum number of authentication attempts permitted per connection.
5 or less
(OpenSSH 3.9 and greater / SunSSH - OS: Unix, Linux)
B
N
AV.1.4.9
System Settings
Maximum Authentication Specifies the maximum number of authentication Retries attempts permitted per connection.
5 or less
(VanDyke VShell Only - OS: Windows)
B
N
AV.1.4.10
System Settings
Session - Keep-alive / The number of seconds of inactivity before the broken session detection server will send a keep-alive request to the client.
60 or less, and must not be 0
(Bitvise WinSSHD Only - OS: Windows)
B
N
AV.1.4.11
System Settings
Session - Login timeout The number of seconds before the server disconnects a session that has not been successfully authenticated.
B
N
AV.1.4.12
System Settings
Session - Maximum login Specifies the maximum number of authentication attempts attempts permitted per connection.
120 or less, and must not be 0
(Bitvise WinSSHD Only - OS: Windows) 5 or less
(Bitvise WinSSHD Only - OS: Windows)
B
N
AV.1.4.13
System Settings
Session - Maximum total The maximum number of simultaneous sessions sessions that can be open to the server.
100 or less
(Bitvise WinSSHD Only - OS: Windows)
B
N
AV.1.4.14
System Settings
AuthKbdInt.Retries
Specifies the maximum number of authentication attempts permitted per connection.
5 or less
(Attachmate RSIT UNIX Server Only - OS: Unix)
B
N
AV.1.4.15
System Settings
Network - Client keep alive
The number of seconds the server waits between sending keepalive messages to the client.
60 or less, and must not be 0
(Attachmate RSIT Windows Server Only - OS: Windows) B
N
AV.1.4.16
System Settings
Authentication - Grace time for completion of authentication process
B
N
AV.1.4.17
System Settings
Authentication Password - Number of password attempts
The number of seconds before the server disconnects a session that has not been successfully authenticated.
120 or less, and must not be 0
(Attachmate RSIT Windows Server Only - OS: Windows) Specifies the maximum number of password authentication attempts permitted per connection.
5 or less
(Attachmate RSIT Windows Server Only - OS: Windows) B
N
AV.1.4.18
System Settings
General - Maximum number of connections
The maximum number of simultaneous sessions that can be open to the server.
100 or less
(Attachmate RSIT Windows Server Only - OS: Windows) B
N
AV.1.5.1
Network Settings
KeyRegenerationInterval The number of seconds that elapse between regenerations of the server's ephemeral key.
3600 or less, and must not be 0
(OpenSSH/SunSSH Only - OS: Unix, Linux)
B
N
AV.1.5.2
Network Settings
Protocol
The SSH protocol(s) that are accepted by the server.
"2", “2,1” or "1,2"
SSH Protocol 1 is known to contain inherent weaknesses. Therefore, Protocol 2 must be enabled. Protocol 1 is permissible only in situations where interoperability issues prevent the use of Protocol 2. (OpenSSH/SunSSH Only - OS: Unix, Linux)
B
N
AV.1.5.3
Network Settings
SSH1ServerKeyTime
The number of seconds that elapse between regenerations of the server's ephemeral key.
3600 or less, and must not be 0
(RemotelyAnywhere Only - OS: Windows)
B
N
AV.1.5.4
Network Settings
SSH2
Configures the server to accept the SSH2 protocol. 1 Protocol 1 is known to contain inherent weaknesses. Therefore, Protocol 2 must be enabled. Protocol 1 is permissible only in situations where interoperability issues prevent the use of Protocol 2.
B
N
AV.1.5.5
Network Settings
GatewayPorts
Specifies whether remote allowed to (RemotelyAnywhere Only hosts - OS: are Windows) connect to ports forwarded for the client. Can be used to bypass firewall controls. (OpenSSH/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)
no
B
B
N
N
AV.1.5.6
AV.1.5.7
Network Settings
Network Settings
Access control Windows groups Access control Windows accounts Access control - Virtual groups Access control - Virtual Permissions - Allow accounts server to client (remote) port forwarding
Configures access controls for users and groups. (Bitvise WinSSHD Only - OS: Windows)
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. Can be used to bypass firewall controls.
The "Permit S2C port forwarding" parameter must not be enabled for any users/groups.
Must not be enabled.
(Attachmate RSIT Windows Server Only - OS: Windows) S
N
AV.1.7.1.1
Identify and Authenticate Users
PermitRootLogin
Permits the root user to login remotely. (OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)
B
N
AV.1.7.1.2
Identify and Authenticate Users
PermitRootLogin forcedcommands PermitRootLogin without-password PermitRootLogin yes
Permits the root user to login remotely.
Public key authentication allows a user to authenticate to a system without the use of a password.
(OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)
May be set to "forced-commands-only" or "without-password" only if mechanisms are in place to determine the identity of the individual accessing the system. Otherwise, must be set to "no".
If public-key authentication is used to access the root account, separate private keys must be used for each individual and logs must be maintained showing which individuals have accessed the root account.
P
N
AV.1.7.2
Identify and Authenticate Users
Public Key Authentication
Keys used for authentication must meet the required bit length value for public key algorithms specified in the base policy
P
N
AV.1.7.3.1
Identify and Authenticate Users
Host-Based Authentication
B
N
AV.1.7.3.2
Identify and Authenticate Users
Host-Based Host-based authentication allows access based on Must not be used to enable host-based Authentication a list of trusted hosts in combination with successful authentication. /etc/hosts.equiv file client-key authentication.
B
N
AV.1.7.3.3
Identify and Authenticate Users
Host-Based Authentication /etc/shosts.equiv file
Host-based authentication allows access based on Must be used if host-based a list of trusted hosts in combination with successful authentication is enabled. This prevents client-key authentication. unintentionally permitting access via the rsh/rlogin/rcp commands.
P
N
AV.1.7.4
Identify and Authenticate Users
PubkeyAuthentication
Permits users to login using public/private key pairs. If set to "yes", the requirements in the "Public Key Authentication" section must (OpenSSH/SunSSH Only - OS: Unix, Linux) be applied.
P
N
AV.1.7.5
Identify and Authenticate Users
RSAAuthentication
Specifies whether pure RSA authentication is allowed.
The key pairs do not need to be updated Host-based authentication allows access based on periodically. All hosts from which the system is tokey beis However, if the private a list of trusted hosts in combination with successful accessed host-based suspectedusing to have been compromised, client-key authentication. authentication bekeys subject the the public and must private musttobe requirements regenerated. of this document.
If set to "yes", the requirements in the "Public Key Authentication" section must be applied.
(OpenSSH/SunSSH Only - OS: Unix, Linux)
P
N
AV.1.7.6
Identify and Authenticate Users
HostbasedAuthentication Specifies whether host-based authentication is allowed.
If set to "yes", the requirements in the "Host-Based Authentication" section must be applied.
(OpenSSH/SunSSH Only - OS: Unix, Linux)
P
N
AV.1.7.7
Identify and Authenticate Users
AllowedAuthentications
Specifies the authentication mechanisms that are allowed.
P
N
AV.1.7.8
Identify and Authenticate Users
P
N
AV.1.7.9
P
N
AV.1.7.10
If the setting contains "publickey", the requirements in the "Public Key Authentication" section must be applied. (F-Secure/SSH Communications/Attachmate RSIT UNIX Server Only - OS: Unix, Linux) If the setting contains "hostbased", the requirements in the "Host-Based Authentication" section must be applied. Authentications Allowed Specifies the authentication mechanisms that are If the setting contains "publickey", the allowed. requirements in the "Public Key Authentication" section must be applied. (VanDyke VShell Only - OS: Windows)
Identify and Authenticate Users
AuthPubkey
Permits users to login using public/private key pairs. If set to 1, the requirements in the "Public Key Authentication" section must be (RemotelyAnywhere Only - OS: Windows) applied.
Identify and Authenticate Users
Access control Windows groups Access control Windows accounts Access control - Virtual groups Access control - Virtual Authentication - Public accounts Key - Public key authentication
Configures access controls for users and groups. (Bitvise WinSSHD Only - OS: Windows)
If any Windows or Virtual users/groups have "Public key authentication" set to "allowed", the requirements in the "Public Key Authentication" section must be applied.
P
N
AV.1.7.11
Identify and Authenticate Users
Permits users to login using public/private key pairs. If the setting is "Allowed" or "Required", the requirements in the "Public Key (Attachmate RSIT Windows Server Only - OS: Authentication" section must be applied. Windows)
P
N
AV.1.8.0.1
Protecting Resources – OSRs
Note
none
I
N
AV.1.8.1.1
Protecting Resources – OSRs
Note
/opt/freeware/
I
N
AV.1.8.1.2
Protecting Resources – OSRs
Note
/usr/
The files in the "Executable and Libraries" section below typically reside in one of these directories.
I
N
AV.1.8.1.3
Protecting Resources – OSRs
Note
/usr/local/
The files in the "Executable and Libraries" section below typically reside in one of these directories.
I
N
AV.1.8.1.4
Protecting Resources – OSRs
Note
/usr/openssh/
The files in the "Executable and Libraries" section below typically reside in one of these directories.
I
N
AV.1.8.1.5
Protecting Resources – OSRs
Note
/usr/ssh/
The files in the "Executable and Libraries" section below typically reside in one of these directories.
I
N
AV.1.8.2.0
Protecting Resources – OSRs
Note
All SSH server configuration files, executables and The Following is a minimum set of SSH libraries must be treated as OSR objects. server files that must be treated as OSRs:
S
N
AV.1.8.2.1
Protecting Resources – OSRs
bin/openssl
OSR Executable and Libraries (OS: Unix/Linux)
Source code must be validated against trusted MD5 or PGP signatures to ensure that the code has not been compromised and to eliminate the threat of compiletime trojan horse attacks. Alternatively, pre-compiled distributions may be used if they originate from a The filessource. in the "Executable and trusted Libraries" section below typically reside in one of these directories.
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.2
Protecting Resources – OSRs
bin/scp
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.3
Protecting Resources – OSRs
bin/scp2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.4
Protecting Resources – OSRs
bin/sftp
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.5
Protecting Resources – OSRs
bin/sftp2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.6
Protecting Resources – OSRs
bin/sftp-server
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.7
Protecting Resources – OSRs
bin/sftp-server2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.8
Protecting Resources – OSRs
bin/slogin
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.9
Protecting Resources – OSRs
bin/ssh
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.10
Protecting Resources – OSRs
bin/ssh2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.11
Protecting Resources – OSRs
bin/ssh-add
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.12
Protecting Resources – OSRs
bin/ssh-add2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.13
Protecting Resources – OSRs
bin/ssh-agent
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.14
Protecting Resources – OSRs
bin/ssh-agent2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.15
Protecting Resources – OSRs
bin/ssh-askpass
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.16
Protecting Resources – OSRs
bin/ssh-askpass2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.17
Protecting Resources – OSRs
bin/ssh-certenroll2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.18
Protecting Resources – OSRs
bin/ssh-chrootmgr
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.19
Protecting Resources – OSRs
bin/ssh-dummy-shell
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.20
Protecting Resources – OSRs
bin/ssh-keygen
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.21
Protecting Resources – OSRs
bin/ssh-keygen2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.22
Protecting Resources – OSRs
bin/ssh-keyscan
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.23
Protecting Resources – OSRs
bin/ssh-pam-client
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.24
Protecting Resources – OSRs
bin/ssh-probe
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.25
Protecting Resources – OSRs
bin/ssh-probe2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.26
Protecting Resources – OSRs
bin/ssh-pubkeymgr
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.27
Protecting Resources – OSRs
bin/ssh-signer
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.28
Protecting Resources – OSRs
bin/ssh-signer2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.29
Protecting Resources – OSRs
lib/libcrypto.a
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.30
Protecting Resources – OSRs
lib/libssh.a
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.31
Protecting Resources – OSRs
lib/libssl.a
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.32
Protecting Resources – OSRs
lib/libz.a
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.33
Protecting Resources – OSRs
lib-exec/openssh/sftpserver
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.34
Protecting Resources – OSRs
lib-exec/openssh/sshkeysign
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.35
Protecting Resources – OSRs
lib-exec/openssh/sshaskpass
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.36
Protecting Resources – OSRs
lib-exec/sftp-server
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.37
Protecting Resources – OSRs
lib-exec/ssh-keysign
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.38
Protecting Resources – OSRs
lib-exec/ssh-rand-helper OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.39
Protecting Resources – OSRs
libexec/openssh/sftpserver
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.40
Protecting Resources – OSRs
libexec/openssh/sshkeysign
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.41
Protecting Resources – OSRs
libexec/openssh/sshaskpass
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.42
Protecting Resources – OSRs
libexec/sftp-server
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.43
Protecting Resources – OSRs
libexec/ssh-keysign
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.44
Protecting Resources – OSRs
libexec/ssh-rand-helper
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.45
Protecting Resources – OSRs
sbin/sshd
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.46
Protecting Resources – OSRs
sbin/sshd2
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.47
Protecting Resources – OSRs
sbin/sshd-check-conf
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.49
Protecting Resources – OSRs
/lib/svc/method/sshd
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.2.50
Protecting Resources – OSRs
/usr/lib/ssh/sshd
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.1
Protecting Resources – OSRs
/ OSR Configuration File etc/openssh/sshd_config (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.2
Protecting Resources – OSRs
/etc/ssh/sshd_config
OSR Configuration File (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.3
Protecting Resources – OSRs
/etc/ssh/sshd2_config
OSR Configuration File (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.4
Protecting Resources – OSRs
/etc/ssh2/sshd_config
OSR Configuration File (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.5
Protecting Resources – OSRs
/etc/ssh2/sshd2_config
OSR Configuration File (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.6
Protecting Resources – OSRs
/etc/sshd_config
OSR Configuration File (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.7
Protecting Resources – OSRs
/etc/sshd2_config
OSR Configuration File (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.8
Protecting Resources – OSRs
/ OSR Configuration File usr/local/etc/sshd_config (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.9
Protecting Resources – OSRs
/ OSR Configuration File usr/local/etc/sshd2_confi (OS: Unix/Linux) g
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.3.10
Protecting Resources – OSRs
/usr/lib/ssh/ssh-keysign
OSR Executable and Libraries (OS: Unix/Linux)
If the file exists, it must be treated as an OSR. Must be owned by a system user and group. Permissions for other must be r-x or more restrictive.
S
N
AV.1.8.4.1
Protecting Resources – OSRs
C:\Program Files\FSecure\
OSR (OS: Windows)
S
N
AV.1.8.4.2
Protecting Resources – OSRs
C:\Program Files\OpenSSH\
OSR (OS: Windows)
S
N
AV.1.8.4.3
Protecting Resources – OSRs
C:\Program Files\SSH Communications Security\
OSR (OS: Windows)
S
N
AV.1.8.4.4
Protecting Resources – OSRs
C:\Program Files\VShell\ OSR (OS: Windows)
S
N
AV.1.8.4.5
Protecting Resources – OSRs
C:\Program Files\ RemotelyAnywhere\
S
N
AV.1.8.4.6
Protecting Resources – OSRs
C:\Program Files\Bitvise OSR WinSSHD\ (OS: Windows)
S
N
AV.1.8.4.7
Protecting Resources – OSRs
C:\Program OSR Files\Attachmate\RSecur (OS: Windows) e\
S
N
AV.1.8.5.1
Protecting Resources – OSRs
C:\Cygwin\bin\scp.exe
OSR (OS: Windows)
S
N
AV.1.8.5.2
Protecting Resources – OSRs
C:\Cygwin\bin\ssh.exe
OSR (OS: Windows)
S
N
AV.1.8.5.3
Protecting Resources – OSRs
C:\Cygwin\bin\sshadd.exe
OSR (OS: Windows)
S
N
AV.1.8.5.4
Protecting Resources – OSRs
C:\Cygwin\bin\sshagent.exe
OSR (OS: Windows)
S
N
AV.1.8.5.5
Protecting Resources – OSRs
C:\Cygwin\bin\ssh-host- OSR config (OS: Windows)
S
N
AV.1.8.5.6
Protecting Resources – OSRs
C:\Cygwin\bin\sshkeygen.exe
If the directory exists, the directory and all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the directory exists, the directory and Read all files and directories contained within it must be treated as OSRs The maximum authority permitted to general users is: Read & Execute List Folder Contents If the Read file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read
OSR (OS: Windows)
OSR (OS: Windows)
S
N
AV.1.8.5.7
Protecting Resources – OSRs
C:\Cygwin\bin\sshkeyscan.exe
S
N
AV.1.8.5.8
Protecting Resources – OSRs
C:\Cygwin\bin\ssh-userconfig
S
N
AV.1.8.5.10
Protecting Resources – OSRs
C:\Cygwin\etc\defaults\et c\sshd_config
S
N
AV.1.8.5.11
Protecting Resources – OSRs
C:\Cygwin\etc\sshd_conf ig
S
N
AV.1.8.5.12
Protecting Resources – OSRs
C:\Cygwin\usr\sbin\sshkeysign.exe
S
N
AV.1.8.5.13
Protecting Resources – OSRs
C:\Cygwin\usr\sbin\sshd. exe
S
N
AV.1.8.5.14
Protecting Resources – OSRs
C:\Cygwin\usr\sbin\sftpserver.exe
B
N
AV.1.9.1
Protecting Resources - User Resources
PermitUserEnvironment
OSR (OS: Windows)
If the file exists, it must be treated as an OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read OSR If the file exists, it must be treated as an (OS: Windows) OSR The maximum authority permitted to general users is: Read & Execute List Folder Contents Read Permits processing of user environment files, which no may allow users to bypass access restrictions. (OpenSSH 3.5/SunSSH 1.2 and greater - OS: Unix, Linux)
B
N
AV.1.9.2
Protecting Resources - User Resources
StrictModes
Configures SSH to verify ownership and permissions of user files and home directories before allowing logins.
yes
(OpenSSH/F-Secure/SSH Communications/SunSSH/Attachmate RSIT UNIX Server Only - OS: Unix, Linux)
B
N
AV.1.9.3
Protecting Resources - User Resources
AcceptEnv
Permits passing of user environment variables from Must not contain variables matching any the client to the server, which may allow users to of the following patterns: TERM, PATH, bypass access restrictions. HOME, MAIL, SHELL, LOGNAME, USER, USERNAME, _RLD*, DYLD_*, (OpenSSH 3.9 and greater - OS: Unix, Linux) LD_*, LDR_*, LIBPATH, SHLIB_PATH
B
N
AV.2.0.1.1
Business Use Notice
Business Use Notice
None
The PrintMotd option must be set to “yes”.
B
N
AV.2.0.1.2
Business Use Notice
Business use Notice VanDyke Vshell
None
the "MOTD Path" setting must be set to the path of a file that contains the required business use notice.
B
N
AV.2.0.1.3
Business Use Notice
Business use Notice Bitvise WinSSHD
None
The "Session - Banner message file" setting must be set to the path of a file that contains the required business use notice.
B
N
AV.2.0.1.4
Business Use Notice
Business use Notice Attachmate RSIT Windows Server
None
The "General - Banner message file" setting must be set to the path of a file that contains the required business use notice.
B
N
AV.2.1.1.1
Encryption
Data Transmission
None
SSL / OpenSSL: If SSH protocol version 1 is enabled, the required bit length value for public key ciphers specified in the policy must be specified in the ServerKeyBits option.
B
N
AV.2.1.1.2
Encryption
Data Transmission - All None native encryption ciphers
Must meet the minimum bit length value specified in the base policy
B
N
AV.2.1.1.3
Encryption
Data Transmission DES algorithm
None
The DES algorithm uses 56-bit keys and is relatively easy to compromise. Therefore it must not be used.
B
N
AV.2.1.1.4
Encryption
Data Transmission Server host keys
None
Must meet the minimum bit length value for public key ciphers specified in the base policy
B
N
AV.2.1.1.5
Encryption
Algorithms - Encryption
Configures the encryption algorithms that are used. The "Algorithms - Encryption" settings must not have "none" selected. (Bitvise WinSSHD Only - OS: Windows)
B
N
AV.2.1.1.6
Encryption
Encryption - Ciphers
Configures the encryption algorithms that are used. The "Encryption - Ciphers" setting must not be set to "None" (Attachmate RSIT Windows Server - OS: Windows)
B
N
AV.2.1.1.7
Encryption
Authentication - Public Key - Public key minimum length
Configures the minimum length for public keys.
I
N
AV.2.1.2
Encryption
File/Database Storage
No requirements in this category
B
N
AV.2.2.1.1
Passphrases
Private Key Passphrases passphrase
A passphrase must be assigned to all private keys that are used for user authentication and must not be shared.
B
N
AV.2.2.1.2
Passphrases
Private Key Passphrases passphrase
Passphrases must have a minimum number of 5 words each of minimum length of 4 characters and are exempt from the syntax rule for mix alphabetic and non-alphabetic characters. All other password rules are applicable.
The "Authentication - Public Key - Public key minimum length" setting must be (Attachmate RSIT Windows Server - OS: Windows) 1024 or greater.
No requirements in this category
B
N
AV.2.2.1.3
Passphrases
Private Key passphrase Passphrases - systemto-system authentication
A null passphrase may be used as long as the authorized_keys file limits access only from specific hosts by specifying the "from" option with the appropriate value. In order to prevent the keys from being used for interactive user logins, the private key file on the originating hosts Private used gain access must bekeys owned by to application andto IDs having administrative system system security users/groups, which doornot have authority must be accessible onlylogin by remote, password-authenticated users that and havemay security or capability, only administrative be readable and system authority. Any authorized_keys writable by the file owner. or authorized_keys2 file that grants access to an ID having security No requirements in this category administrative or system authority must limit access only from specific hosts by specifying the "from" option with the appropriate value.
B
N
AV.2.2.1.4
Passphrases
Private Key Passphrases - security administrative and system authority
passphrase
I
N
AV.3.0.0
Process Exceptions
No requirements in this category
No requirements in this category
I
Y
AV.5.0.0
Privileged Authorizations/Userids
Note
Description of privileged Ids : The rows in section 5 No value to be set below describe the list of UserIDs or groups that have Privileged authority.
B
Y
AV.5.0.1
Privileged Authorizations/Userids
The user ID used for privilege separation (typically called "sshd" on Unix systems)
None
I
Y
AV.5.0.2
Privileged Authorizations/Userids
Note
No value to be set
Must not be a member of any group that grants system or security administrative authority, as defined by the applicable OS Technical Specification. May be a member of the "sshd" group, regardless of the associated GID, as this SSH the authentication facilities of groupuses is not considered to grant system the operating system on which it runs or security administrative authority.