← Back to Red Hat Enterprise Linux 7 Security Technical Implementation Guide

V-204601

CAT II (Medium)

The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.

Rule ID

SV-204601r991589_rule

STIG

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version

V3R15

CCIs

CCI-000366

Discussion

SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.

Check Content

Verify the SSH daemon performs privilege separation.

Check that the SSH daemon performs privilege separation with the following command:

# grep -i usepriv /etc/ssh/sshd_config

UsePrivilegeSeparation sandbox

If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.

Fix Text

Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":

UsePrivilegeSeparation sandbox

The SSH service must be restarted for changes to take effect.