{"description": "The RekeyLimit parameter specifies how often\nthe session key of the is renegotiated, both in terms of\namount of data that may be transmitted and the time\nelapsed.
\nTo decrease the default limits, add or correct the following line in\n\n\n/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:\n\n
RekeyLimit
", "rationale": "By decreasing the limit based on the amount of data and enabling\ntime-based limit, effects of potential attacks against\nencryption keys are limited.", "severity": "medium", "references": {"ospp": ["FCS_SSH_EXT.1.8"], "srg": ["SRG-OS-000480-GPOS-00227", "SRG-OS-000033-GPOS-00014"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is commented out or is not set", "ocil": "To check if RekeyLimit is set correctly, run the\nfollowing command:\n\n
$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
\n\nIf configured properly, output should be\n
RekeyLimit
", "oval_external_content": null, "fixtext": "\nConfigure Ubuntu 22.04 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the \"/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf\" file:\n\n\nRekeyLimit \n\nRestart the SSH daemon for the settings to take effect.\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must force a frequent session key renegotiation for SSH connections to the server.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must force a frequent session key renegotiation for SSH connections to the server.", "vuldiscussion": "Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.\n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nSession key regeneration limits the chances of a session key becoming compromised.", "checktext": "Verify the SSH server is configured to force frequent session key renegotiation with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*rekeylimit'\n\nRekeyLimit 1G 1h\n\nIf it is commented out or is not set, then this is a finding.", "fixtext": "Configure Ubuntu 22.04 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the \"/etc/ssh/sshd_config\" or in a file in \"/etc/ssh/sshd_config.d\":\n\nRekeyLimit 1G 1h\n\nRestart the SSH daemon for the settings to take effect.\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Force frequent session key renegotiation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml", "template": null}