mediumaccess-controlunverified
Ensure access to /etc/sysconfig/sshd is configured
sshd-sysconfig-permissions · RHEL ≥ 8 · 1 impl
Description
The /etc/sysconfig/sshd file (SSH daemon environment settings) must be owned by root:root and mode 0640 or more restrictive (no group write/execute, no access for others), so only root can alter the SSH daemon's startup configuration.
Rationale
A writable or world-readable /etc/sysconfig/sshd could let a non-root user alter SSH daemon behavior or learn its configuration.
Check → Remediate
Checkcommand
f=/etc/sysconfig/sshd
[ -e "$f" ] || { echo "NOT APPLICABLE: $f absent"; exit 0; }
mode=$(stat -c '%a' "$f" 2>/dev/null); own=$(stat -c '%U:%G' "$f" 2>/dev/null)
# 0640 or more restrictive: no group write/exec, no access for others.
if [ "$own" = "root:root" ] && [ "$(( 0$mode & 037 ))" -eq 0 ]; then
echo "OK: $f is $own mode $mode"
exit 0
fi
echo "FAIL: $f is $own mode $mode (want root:root, 0640 or more restrictive)"
exit 1
- expected_exit:
- 0
Remediatefile_permissions
- path:
- /etc/sysconfig/sshd
- owner:
- root
- group:
- root
- mode:
- 0640
Framework references
CIS
rhel8 5.1.3
NIST 800-53
AC-6CM-6
#ssh#permissions#sysconfig#cis