{"description": "Compression is useful for slow network connections over long\ndistances but can cause performance issues on local LANs. If use of compression\nis required, it should be enabled only after a user has authenticated; otherwise,\nit should be disabled. To disable compression or delay compression until after\na user has successfully authenticated, add or correct the following line in the\n<tt>/etc/ssh/sshd_config</tt> file:\n<pre>Compression <sub idref=\"var_sshd_disable_compression\" /></pre>", "rationale": "If compression is allowed in an SSH connection prior to authentication,\nvulnerabilities in the compression software could result in compromise of the\nsystem from an unauthenticated connection, potentially with root privileges.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.12"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["AC-17(a)", "CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is commented out, or is not set to no or delayed", "ocil": "To check if compression is enabled or set correctly, run the\nfollowing command:\n<pre>$ sudo grep Compression /etc/ssh/sshd_config</pre>\nIf configured properly, output should be <pre>no</pre> or <pre>delayed</pre>.", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config\".\nCompression <sub idref=\"var_sshd_disable_compression\" />\nRestart the SSH daemon for the settings to take effect:\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 SSH daemon must not allow compression or must only allow compression after successful authentication.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "The Ubuntu 22.04 SSH daemon must not allow compression or must only allow compression after successful authentication.", "vuldiscussion": "If compression is allowed in an SSH connection prior to authentication,\nvulnerabilities in the compression software could result in compromise of the\nsystem from an unauthenticated connection, potentially with root privileges.", "checktext": "Verify the SSH daemon performs compression after a user successfully authenticates with the following command:\n\n$ sudo grep -ir compression /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*\n\nCompression delayed\n\nIf the \"Compression\" keyword is set to \"yes\", is missing, or the returned line is commented out, this is a finding.", "fixtext": "Configure the SSH daemon to not allow compression.\n\nUncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" on the system and set the value to \"delayed\" or \"no\":\n\nCompression no\n\nThe SSH service must be restarted for changes to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable Compression Or Set Compression to delayed", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "Compression", "xccdf_variable": "var_sshd_disable_compression", "datatype": "string"}, "backends": {}}}