We currently use ssh in our system and are investigating ways to fulfill an Application STIG requirement. Here's the req
APP0530: Session limits do not exist for the application. Its actually a checklist item to determine if you have a security finding. That's why it looks like a negative requirement. Supporting text for this requirement indicates that a limit on the number of sessions per user or process ID OR a maximum limit on the aggregate of all sessions needs to exist. So, any service used to connect to our box has been targeted by this STIG requirement. We have workarounds or config for our insecure protocols, but ssh (and its derivatives) have posed a problem. We need to limit the number of sessions, so cutting CPU and bandwith won't accomplish that. We also asked about the unauthenticated config you're talking about with ssh, but this requirement is targeting authenticated users. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
