Confirm user_readenv is off in pam_env module

Question

I firstly wanted to say "thank you!" for all the support that I have gained by reading the articles on this site - a major benefit for a web developer donning a sysadmin hat...

We are currently working to get our Web Server PCI compliant and have been going back and forth with TrustWave over CVE-2015-8325. We use a backported version of OpenSSH.

CentOS release 6.8 (Final)
3.2.69-82.art.x86_64
openssh-5.3p1-118.1.el6_8.x86_64

The final thing they are requesting is: "We require confirmation that user_readenv is off in pam_env module on this system."

I am looking for a way to confirm this from the shell but am striking out - per searches online it looks like the setting is disabled by default but I cannot find a way to confirm it.

If I run:

sshd -T

from the shell, its output contains the two following lines:

usepam no
uselogin no

I'm trying to determine if this is the only technique that I can use to get them what they are asking for or if there is a configuration file somewhere that specifically states "user_readenv=0" or something similar.

Thank you for your time, and let me know if you need more information.

=== Update ===

I provided TrustWave with the above information and they have approved the dispute. I still am interested if there is another way to confirm user_readenv is off for pam_env module - but if nothing comes up - I'll just mark the above as the answer - Thanks.

Answer 1

If you were to be using PAM, and submit the following to Trustwave to dispute CVE-2015-8325:

sshd -T  
usepam yes  
uselogin no  

Then Trustwave requires proof that PAM is configured to not read .pam_environment files in user home directories:

grep READENV /etc/security/pam_env.conf  
READENV         DEFAULT=0  
USER_READENV    DEFAULT=0  

Add those lines for them to accept your dispute.

Answer 2

Running sshd -T (extended test mode) from the terminal should output many of the different configurations that SSH currently has configured - in my case I was able to find "usepam no" and "uselogin no" which turned out to be enough information for TrustWave to accept our dispute. I'm not sure if a better method exists to prove this, however, this looks to have solved my issue.