AlmaLinux OS 9 must not allow users to override SSH environment variables.

STIG ID: ALMA-09-043030  |  SRG: SRG-OS-000425-GPOS-00189 |  Severity: medium |  CCI: CCI-002420 |  Vulnerability Id: V-269439

Vulnerability Discussion

SSH environment options potentially allow users to bypass access restriction in some configurations.

Check

Verify the SSH daemon prevents users from overriding SSH environment variables with the following command:

$ sshd -T | grep permituserenvironment

permituserenvironment no

If the "PermitUserEnvironment" keyword is set to "yes", or no output is returned, this is a finding.

Fix

To configure the system to prevent users from overriding SSH environment variables, add or modify the following line in "/etc/ssh/sshd_config":

PermitUserEnvironment no

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo "PermitUserEnvironment no" > /etc/ssh/sshd_config.d/environment.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.