{"description": "By default, the SSH configuration allows any user with an account\nto access the system. There are several options available to limit\nwhich users and group can access the system via SSH. It is\nrecommended that at least one of the following options be leveraged:\n- AllowUsers variable gives the system administrator the option of\n  allowing specific users to ssh into the system. The list consists of\n  space separated user names. Numeric user IDs are not recognized with\n  this variable. If a system administrator wants to restrict user\n  access further by specifically allowing a user's access only from a\n  particular host, the entry can be specified in the form of user@host.\n- AllowGroups variable gives the system administrator the option of\n  allowing specific groups of users to ssh into the system. The list\n  consists of space separated group names. Numeric group IDs are not\n  recognized with this variable.\n- DenyUsers variable gives the system administrator the option of\n  denying specific users to ssh into the system. The list consists of\n  space separated user names. Numeric user IDs are not recognized with\n  this variable. If a system administrator wants to restrict user\n  access further by specifically denying a user's access from a\n  particular host, the entry can be specified in the form of user@host.\n- DenyGroups variable gives the system administrator the option of\n  denying specific groups of users to ssh into the system. The list\n  consists of space separated group names. Numeric group IDs are not\n  recognized with this variable.", "rationale": "Specifying which accounts are allowed SSH access into the system reduces the\npossibility of unauthorized access to the system.", "severity": "unknown", "references": {"cis-csc": ["11", "12", "14", "15", "16", "18", "3", "5"], "cobit5": ["DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS06.03", "DSS06.06"], "cui": ["3.1.12"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7"], "iso27001-2013": ["A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.2.3", "CIP-004-6 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.2", "CIP-007-3 R5.2", "CIP-007-3 R5.3.1", "CIP-007-3 R5.3.2", "CIP-007-3 R5.3.3"], "nist": ["AC-3", "CM-6(a)"], "nist-csf": ["PR.AC-4", "PR.AC-6", "PR.PT-3"], "pcidss": ["Req-2.2.4"], "cis": ["5.1.4"], "pcidss4": ["2.2.6", "2.2"]}, "control_references": {"cis": ["5.1.4"], "pcidss4": ["2.2.6", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "sshd does not limit the users who can log in", "ocil": "To ensure sshd limits the users who can log in, run the following:\n<pre>$ sudo grep -rPi '^\\h*(allow|deny)(users|groups)\\h+\\H+(\\h+.*)?$' /etc/ssh/sshd_config*</pre>\nIf properly configured, the output should be a list of usernames and/or\ngroups allowed to log in to this system.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Automated remediation is not available for this configuration check\nbecause each system has unique user names and group names."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Limit Users' SSH Access", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/rule.yml", "template": null}