Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix ssh ClientAliveCountMax check #461

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+14 −4
Open

fix ssh ClientAliveCountMax check #461

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions core/mondoo-linux-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2690,17 +2690,27 @@ queries:
title: Ensure SSH Idle Timeout Interval is configured
impact: 60
mql: |
sshd.config.params["ClientAliveInterval"] >= 1
sshd.config.params["ClientAliveInterval"] <= 300
sshd.config.params["ClientAliveCountMax"] = 0
defaultBlock = sshd.config.blocks.where(criteria.in([""]) == props.checkDefaultMatchBlock && criteria == "");

userBlocks = sshd.config.blocks.where(criteria.contains(props.excludedMatchBlocks) == false && criteria != "");

userBlocks.all(params.ClientAliveInterval >= 1)
userBlocks.all(params.ClientAliveInterval <= 900)
userBlocks.all(params.ClientAliveCountMax > 0)
userBlocks.all(params.ClientAliveCountMax <= 3)

defaultBlock.all(params.ClientAliveInterval >= 1)
defaultBlock.all(params.ClientAliveInterval <= 900)
defaultBlock.all(params.ClientAliveCountMax > 0)
defaultBlock.all(params.ClientAliveCountMax <= 3)
docs:
desc: The two options `ClientAliveInterval` and `ClientAliveCountMax` control the timeout of ssh sessions. When the `ClientAliveInterval` variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the `ClientAliveCountMax` variable is set, `sshd` will send client alive messages at every `ClientAliveInterval` interval. When the number of consecutive client alive messages are sent with no response from the client, the `ssh` session is terminated. For example, if the `ClientAliveInterval` is set to 15 seconds and the `ClientAliveCountMax` is set to 3, the client `ssh` session will be terminated after 45 seconds of idle time.
remediation: |-
Edit the `/etc/ssh/sshd_config` file to set the `ClientAliveInterval` and `ClientAliveCountMax` parameters according to site policy:

```
ClientAliveInterval 300
ClientAliveCountMax 0
ClientAliveCountMax 3
```
- uid: mondoo-linux-security-ssh-logingracetime-is-set-to-one-minute-or-less
title: Ensure SSH LoginGraceTime is set to one minute or less
Expand Down
Loading