The Juniper SRX Services Gateway must immediately terminate SSH network connections when the user logs off, the session abnormally terminates, or an upstream link from the managed device goes down.
From Juniper SRX SG NDM Security Technical Implementation Guide
Part of SRG-APP-000186-NDM-000266
Associated with:
CCI-000879
SV-81025r1_rule
The Juniper SRX Services Gateway must immediately terminate SSH network connections when the user logs off, the session abnormally terminates, or an upstream link from the managed device goes down.
Vulnerability discussion
This setting frees device resources and mitigates the risk of an unauthorized user gaining access to an open idle session. When sessions are terminated by a normal administrator log off, the Juniper SRX makes the current contents unreadable and no user activity can take place in the session. However, abnormal terminations or loss of communications do not signal a session termination, thus a keep-alive count and interval must be configured so the device will know when communication with the client is no longer available. The keep-alive value and the interval between keep-alive messages must be set to an organization-defined value based on mission requirements and network performance.
Check content
[edit]
show system services ssh
If the keep-alive count and keep-alive interval are not set to an organization-defined value, this is a finding.
Fix text
Configure the SSH keep-alive value.
[edit]
set system services ssh client-alive-count-max
set system services ssh client-alive-interval
Note: The keep-alive value and the interval between keep-alive messages must be set based on mission requirements and network performance for each local network.
Pro Tips
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer