← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269439

CAT II (Medium)

AlmaLinux OS 9 must not allow users to override SSH environment variables.

Rule ID

SV-269439r1050322_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-002420

Discussion

SSH environment options potentially allow users to bypass access restriction in some configurations.

Check Content

Verify the SSH daemon prevents users from overriding SSH environment variables with the following command:

$ sshd -T | grep permituserenvironment

permituserenvironment no

If the "PermitUserEnvironment" keyword is set to "yes", or no output is returned, this is a finding.

Fix Text

To configure the system to prevent users from overriding SSH environment variables, add or modify the following line in "/etc/ssh/sshd_config":

PermitUserEnvironment no

Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:

$ echo "PermitUserEnvironment no" > /etc/ssh/sshd_config.d/environment.conf

Restart the SSH daemon for the settings to take effect:

$ systemctl restart sshd.service