{"description": "Ensure that users are not able to override environment variables of the SSH daemon.\n
\nThe default SSH configuration disables environment processing. The appropriate\nconfiguration is used if no value is set for PermitUserEnvironment.\n
\nTo explicitly disable Environment options, add or correct the following\n\n\n/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:\n\n
PermitUserEnvironment no
", "rationale": "SSH environment options potentially allow users to bypass\naccess restriction in some configurations.", "severity": "medium", "references": {"cis-csc": ["11", "3", "9"], "cjis": ["5.5.6"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05"], "cui": ["3.1.12"], "hipaa": ["164.308(a)(4)(i)", "164.308(b)(1)", "164.308(b)(3)", "164.310(b)", "164.312(e)(1)", "164.312(e)(2)(ii)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["AC-17(a)", "CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1"], "pcidss": ["Req-2.2.4"], "srg": ["SRG-OS-000480-GPOS-00229"], "cis": ["5.1.21"], "ism": ["1546"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-255025"], "stigref": ["SV-260526r991591_rule"]}, "control_references": {"cis": ["5.1.21"], "ism": ["1546"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-255025"]}, "components": [], "identifiers": {}, "ocil_clause": "the required value is not set", "ocil": "To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:\n\n
$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
\n
$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
\n\nIf a line indicating no is returned, then the required value is set.\n", "oval_external_content": null, "fixtext": "To configure the system add or modify the following line in \"/etc/ssh/sshd_config\".\n\nPermitUserEnvironment no\n\nRestart the SSH daemon for the settings to take effect:\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not allow users to override SSH environment variables.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not allow users to override SSH environment variables.", "vuldiscussion": "SSH environment options potentially allow users to bypass access restriction in some configurations.", "checktext": "Verify that unattended or automatic logon via SSH is disabled with the following command:\n\n$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\\r' | tr '\\n' ' ' | xargs sudo grep -iH '^\\s*permituserenvironment'\n\nPermitUserEnvironment no\n\nIf \"PermitUserEnvironment\" is set to \"yes\", is missing completely, or is commented out, this is a finding.\n\nIf the required value is not set, this is a finding.", "fixtext": "Configure the Ubuntu 22.04 SSH daemon to not allow unattended or automatic logon to the system by editing the following line in the \"/etc/ssh/sshd_config\" or in a file in \"/etc/ssh/sshd_config.d\":\n\nPermitUserEnvironment no\n\nRestart the SSH daemon for the setting to take effect:\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Do Not Allow SSH Environment Options", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "PermitUserEnvironment", "value": "no", "datatype": "string", "is_default_value": "true"}, "backends": {}}}