4.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

Information

The file /etc/ssh/sshd_config and files ending inconf in the /etc/ssh/sshd_config.d directory, contain configuration specifications for sshd

configuration specifications for sshd need to be protected from unauthorized changes by non-privileged users.

Solution

Run the following script to set ownership and permissions on /etc/ssh/sshd_config and files ending inconf in the /etc/ssh/sshd_config.d directory:

#!/usr/bin/env bash

{
chmod u-x,og-rwx /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config
while IFS= read -r -d $'0' l_file; do
if [ -e "$l_file" ]; then
chmod u-x,og-rwx "$l_file"
chown root:root "$l_file"
fi
done < <(find /etc/ssh/sshd_config.d -type f -print0)
}

See Also

https://workbench.cisecurity.org/benchmarks/15287

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: c676815c37c839c0f7391b1f1652f39cdc68a5e0d7116310ab53bebf676e5f1e