Verify Permissions on /etc/sysconfig/sshd File
Description
To properly set the permissions of /etc/sysconfig/sshd, run the command:
$ sudo chmod 0640 /etc/sysconfig/sshd
Rationale
The /etc/sysconfig/sshd file contains configuration options for the SSH daemon.
Protection of this file is important for system security. The file should have mode 0640
or more restrictive to prevent unauthorized access and modifications.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
chmod u-xs,g-xws,o-xwrt /etc/sysconfig/sshd
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-89270-3
- configure_strategy
- file_permissions_etc_sysconfig_sshd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /etc/sysconfig/sshd
ansible.builtin.stat:
path: /etc/sysconfig/sshd
register: file_exists
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-89270-3
- configure_strategy
- file_permissions_etc_sysconfig_sshd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/sysconfig/sshd
ansible.builtin.file:
path: /etc/sysconfig/sshd
mode: u-xs,g-xws,o-xwrt
when:
- '"kernel-core" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-89270-3
- configure_strategy
- file_permissions_etc_sysconfig_sshd
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
