← Rules Catalog
mediumaccess-controlunverified

Ensure access to /etc/sysconfig/sshd is configured

sshd-sysconfig-permissions · RHEL ≥ 8 · 1 impl

Description

The /etc/sysconfig/sshd file (SSH daemon environment settings) must be owned by root:root and mode 0640 or more restrictive (no group write/execute, no access for others), so only root can alter the SSH daemon's startup configuration.

Rationale

A writable or world-readable /etc/sysconfig/sshd could let a non-root user alter SSH daemon behavior or learn its configuration.

Check → Remediate

Checkcommand
f=/etc/sysconfig/sshd
[ -e "$f" ] || { echo "NOT APPLICABLE: $f absent"; exit 0; }
mode=$(stat -c '%a' "$f" 2>/dev/null); own=$(stat -c '%U:%G' "$f" 2>/dev/null)
# 0640 or more restrictive: no group write/exec, no access for others.
if [ "$own" = "root:root" ] && [ "$(( 0$mode & 037 ))" -eq 0 ]; then
  echo "OK: $f is $own mode $mode"
  exit 0
fi
echo "FAIL: $f is $own mode $mode (want root:root, 0640 or more restrictive)"
exit 1
expected_exit:
0
Remediatefile_permissions
path:
/etc/sysconfig/sshd
owner:
root
group:
root
mode:
0640

Framework references

CIS

rhel8 5.1.3

NIST 800-53

AC-6CM-6
#ssh#permissions#sysconfig#cis