{"description": "The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to\nthe SSH server. The longer the Grace period is the more open unauthenticated connections\ncan exist. Like other session controls in this session the Grace Period should be limited to\nappropriate limits to ensure the service is available for needed access.", "rationale": "Setting the LoginGraceTime parameter to a low number will minimize the risk of successful\nbrute force attacks to the SSH server. It will also limit the number of concurrent\nunauthenticated connections.", "severity": "medium", "references": {"cis": ["5.1.13"], "pcidss4": ["2.2.6", "2.2"]}, "control_references": {"cis": ["5.1.13"], "pcidss4": ["2.2.6", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "it is commented out or not configured properly", "ocil": "To ensure LoginGraceTime is set correctly, run the following command:\n
$ sudo grep LoginGraceTime /etc/ssh/sshd_config
\nIf properly configured, the output should be:\n
LoginGraceTime
\nIf the option is set to a number greater than 0, then the unauthenticated session will be disconnected\nafter the configured number seconds.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure SSH LoginGraceTime is configured", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "LoginGraceTime", "xccdf_variable": "var_sshd_set_login_grace_time", "datatype": "int", "backends": {"oval": "off"}}, "backends": {}}}