Do Not Allow SSH Environment Options

An XCCDF Rule

Description

Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:

PermitUserEnvironment no

Rationale

SSH environment options potentially allow users to bypass access restriction in some configurations.

ID: xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
Severity: Medium
References: 11 3 9

5.5.6

BAI10.01 BAI10.02 BAI10.03 BAI10.05

3.1.12

CCI-000366

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.3.4.3.2 4.3.4.3.3

SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4

CM-6(b) CM-6.1(iv)

PR.IP-1

Req-2.2.4

2.2 2.2.6

SRG-OS-000480-GPOS-00229

SLES-15-040440

5.2.12

CCE-85666-6

SV-235032r991591_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-85666-6
  - CJIS-5.5.6  - DISA-STIG-SLES-15-040440
  - NIST-800-171-3.1.12
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSS-Req-2.2.4
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_do_not_permit_user_env

- name: Do Not Allow SSH Environment Options
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
      line: PermitUserEnvironment no
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-85666-6
  - CJIS-5.5.6
  - DISA-STIG-SLES-15-040440
  - NIST-800-171-3.1.12
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-6.1(iv)
  - PCI-DSS-Req-2.2.4
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_do_not_permit_user_env

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Do Not Allow SSH Environment Options

Description

Rationale

Remediation - Ansible

Remediation - Shell Script