CCE-99105-9Platform: cpe:/o:apple:mac_os_12 | Date: (C)2022-05-31 (M)2023-07-04 |
SSH should be configured to log users out after a 15 minute interval of inactivity and to only wait 30 seconds before timing out login attempts. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session or an incomplete login attempt will also free up resources committed by the managed network element.
Parameter:
[Seconds, Maximum_Count, Seconds]
Technical Mechanism:
In order to make sure that ClientAliveInterval is set correctly, run the following command:
sudo sed -i.bak 's/.*ClientAliveInterval.*/ClientAliveInterval 600/' /etc/sshd_config
In order to make sure that the SSH idle timeout occurs precisely when the 'ClientAliveCountMax' is set, run the following command:
sudo sed -i.bak 's/.*ClientAliveCountMax.*/ClientAliveCountMax 0/' /etc/sshd_config
In order to make sure that LoginGraceTime is configured correctly, run the following command:
sudo sed -i.bak 's/.*LoginGraceTime.*/LoginGraceTime 30/' /etc/sshd_config
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:80539 |