← Back to Oracle Linux 7 Security Technical Implementation Guide

V-221863

CAT II (Medium)

The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.

Rule ID

SV-221863r991589_rule

STIG

Oracle Linux 7 Security Technical Implementation Guide

Version

V3R5

CCIs

CCI-000366

Discussion

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Check Content

Verify the SSH daemon performs privilege separation.

Check that the SSH daemon performs privilege separation with the following command:

# grep -i usepriv /etc/ssh/sshd_config

UsePrivilegeSeparation sandbox

If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.

Fix Text

Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":

UsePrivilegeSeparation sandbox

The SSH service must be restarted for changes to take effect.