{"description": "By default, the SELinux boolean <tt>ssh_sysadm_login</tt> is disabled.\nIf this setting is enabled, it should be disabled.\n\nTo disable the <code>ssh_sysadm_login</code> SELinux boolean, run the following command:\n<pre>$ sudo setsebool -P ssh_sysadm_login off</pre>", "rationale": "Preventing non-privileged users from executing privileged functions mitigates\nthe risk that unauthorized individuals or processes may gain unnecessary access\nto information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing\nsystem integrity checks, or administering cryptographic key management\nactivities. Non-privileged users are individuals who do not possess appropriate\nauthorizations. Circumventing intrusion detection and prevention mechanisms or\nmalicious code protection mechanisms are examples of privileged functions that\nrequire protection from non-privileged users.", "severity": "medium", "references": {"srg": ["SRG-OS-000324-GPOS-00125"], "anssi": ["R48"]}, "control_references": {"anssi": ["R48"]}, "components": [], "identifiers": {}, "ocil_clause": "ssh_sysadm_login is not disabled", "ocil": "\nRun the following command to determine if the <code>ssh_sysadm_login</code> SELinux boolean is disabled:\n<pre>$ getsebool ssh_sysadm_login</pre>\nIf properly configured, the output should show the following:\n<code>ssh_sysadm_login --> off</code>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "check-export": ["var_ssh_sysadm_login=xccdf_org.ssgproject.content_value_var_ssh_sysadm_login"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sebool_ssh_sysadm_login.sh", "relative_path": "ubuntu2204/checks/sce/sebool_ssh_sysadm_login.sh"}, "inherited_platforms": ["system_with_kernel", "selinux or bootc or osbuild"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["bootc_or_osbuild_or_selinux", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable the ssh_sysadm_login SELinux Boolean", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml", "template": {"name": "sebool", "vars": {"seboolid": "ssh_sysadm_login"}, "backends": {}}}