Verify Group Ownership on SSH Server Public *.pub Key Files

An XCCDF Rule

Description

SSH server public keys, files that match the /etc/ssh/*.pub glob, must be group-owned by root group.

Rationale

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

ID: xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
Severity: Medium
References: R50
Updated: over 1 year ago

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

find -L /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*\.pub$' -exec chgrp -L 0 {} \;
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - configure_strategy
  - file_groupownership_sshd_pub_key  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
  command: find -H /etc/ssh/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended
    -regex "^.*\.pub$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - configure_strategy
  - file_groupownership_sshd_pub_key
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /etc/ssh/ file(s) matching ^.*\.pub$
  file:
    path: '{{ item }}'
    group: '0'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - configure_strategy
  - file_groupownership_sshd_pub_key
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Verify Group Ownership on SSH Server Public *.pub Key Files

Description

Rationale

Remediation - Shell Script

Remediation - Ansible