metadata/service/server/cis/cis-5-2-12.yml - salt-formulas/openssh - Gitiles

 # 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
 #
 # Profile Applicability
 # ---------------------
 # - Level 1 - Server
 # - Level 1 - Workstation
 #
 # Description
 # -----------
 # The two options ClientAliveInterval and ClientAliveCountMax control the timeout of
 # ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no
 # activity for the specified length of time are terminated. When the ClientAliveCountMax
 # variable is set, sshd will send client alive messages at every ClientAliveInterval
 # interval. When the number of consecutive client alive messages are sent with no response
 # from the client, the ssh session is terminated. For example, if the ClientAliveInterval is
 # set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be
 # terminated after 45 seconds of idle time.
 #
 # Rationale
 # ---------
 # Having no timeout value associated with a connection could allow an unauthorized user
 # access to another user's ssh session (e.g. user walks away from their computer and doesn't
 # lock the screen). Setting a timeout value at least reduces the risk of this happening..
 # While the recommended setting is 300 seconds (5 minutes), set this timeout value based on
 # site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client
 # session will be terminated after 5 minutes of idle time and no keepalive messages will be
 # sent.
 #
 # Audit
 # -----
 # Run the following commands and verify ClientAliveInterval is 300 or less and
 # ClientAliveCountMax is 3 or less:
 #
 #   # grep "^ClientAliveInterval" /etc/ssh/sshd_config
 #   ClientAliveInterval 300
 #   # grep "^ClientAliveCountMax" /etc/ssh/sshd_config
 #   ClientAliveCountMax 0
 #
 # Remediation
 # -----------
 # Edit the /etc/ssh/sshd_config file to set the parameters as follows:
 #
 #   ClientAliveInterval 300
 #   ClientAliveCountMax 0

 parameters:
   openssh:
     server:
       alive:
         interval: 300
         count: 0
	# 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
	#
	# Profile Applicability
	# ---------------------
	# - Level 1 - Server
	# - Level 1 - Workstation
	#
	# Description
	# -----------
	# The two options ClientAliveInterval and ClientAliveCountMax control the timeout of
	# ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no
	# activity for the specified length of time are terminated. When the ClientAliveCountMax
	# variable is set, sshd will send client alive messages at every ClientAliveInterval
	# interval. When the number of consecutive client alive messages are sent with no response
	# from the client, the ssh session is terminated. For example, if the ClientAliveInterval is
	# set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be
	# terminated after 45 seconds of idle time.
	#
	# Rationale
	# ---------
	# Having no timeout value associated with a connection could allow an unauthorized user
	# access to another user's ssh session (e.g. user walks away from their computer and doesn't
	# lock the screen). Setting a timeout value at least reduces the risk of this happening..
	# While the recommended setting is 300 seconds (5 minutes), set this timeout value based on
	# site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client
	# session will be terminated after 5 minutes of idle time and no keepalive messages will be
	# sent.
	#
	# Audit
	# -----
	# Run the following commands and verify ClientAliveInterval is 300 or less and
	# ClientAliveCountMax is 3 or less:
	#
	# # grep "^ClientAliveInterval" /etc/ssh/sshd_config
	# ClientAliveInterval 300
	# # grep "^ClientAliveCountMax" /etc/ssh/sshd_config
	# ClientAliveCountMax 0
	#
	# Remediation
	# -----------
	# Edit the /etc/ssh/sshd_config file to set the parameters as follows:
	#
	# ClientAliveInterval 300
	# ClientAliveCountMax 0

	parameters:
	openssh:
	server:
	alive:
	interval: 300
	count: 0