Enable Use of Strict Mode Checking
An XCCDF Rule
Description
SSHs StrictModes
option checks file and ownership permissions in
the user's home directory .ssh
folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes
enabled. The appropriate
configuration is used if no value is set for StrictModes
.
To explicitly enable StrictModes
in SSH, add or correct the following line in
/etc/ssh/sshd_config
:
StrictModes yes
Rationale
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
- ID
- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.12
- NIST-800-53-AC-17(a)