STIGQter STIGQter: STIG Summary: Oracle Linux 7 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.

DISA Rule

SV-221849r603260_rule

Vulnerability Number

V-221849

Group Title

SRG-OS-000163-GPOS-00072

Rule Version

OL07-00-040320

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the operating system to terminate a user session automatically after inactivity time-outs have expired or at shutdown.

Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):

ClientAliveInterval 600

The SSH service must be restarted for changes to take effect.

Check Contents

Verify the operating system automatically terminates a user session after inactivity time-outs have expired.

Check for the value of the "ClientAliveInterval" keyword with the following command:

# grep -iw clientaliveinterval /etc/ssh/sshd_config

ClientAliveInterval 600

If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding.

If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Vulnerability Number

V-221849

Documentable

False

Rule Version

OL07-00-040320

Severity Override Guidance

Verify the operating system automatically terminates a user session after inactivity time-outs have expired.

Check for the value of the "ClientAliveInterval" keyword with the following command:

# grep -iw clientaliveinterval /etc/ssh/sshd_config

ClientAliveInterval 600

If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding.

If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check Content Reference

M

Target Key

4089

Comments