5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured

Information

The file /etc/ssh/sshd_config and files ending inconf in the /etc/ssh/sshd_config.d directory, contain configuration specifications for sshd

configuration specifications for sshd need to be protected from unauthorized changes by non-privileged users.

Solution

Run the following script to set ownership and permissions on /etc/ssh/sshd_config and files ending inconf in the /etc/ssh/sshd_config.d directory:

#!/usr/bin/env bash

{
chmod u-x,og-rwx /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config
while IFS= read -r -d $'0' l_file; do
if [ -e "$l_file" ]; then
chmod u-x,og-rwx "$l_file"
chown root:root "$l_file"
fi
done < <(find /etc/ssh/sshd_config.d -type f -print0 2>/dev/null)
}

- IF - other locations are listed in an Include statement, *.conf files in these locations access should also be modified.

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: ff02e343225175307a981d8de666ad6dfcc1cc8c0e5b31fff42a61c78504275a