An XCCDF Group - A logical subset of the XCCDF Benchmark
sshd
openssh-server
openssh-clients
$ sudo dnf install openssh-clients
$ sudo dnf install openssh-server
$ sudo systemctl enable sshd.service
/etc/ssh/sshd_config
$ sudo chgrp root /etc/ssh/sshd_config
/etc/ssh/*_key
root
/etc/ssh/*.pub
$ sudo chown root /etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
0600
$ sudo chmod 0644 /etc/ssh/*.pub
~/.ssh
RekeyLimit
/etc/ssh/ssh_config.d/02-rekey-limit.conf
include
/etc/ssh/ssh_config
/etc/ssh/ssh_config.d
02-rekey-limit.conf
$ sudo ssh-keygen -n [passphrase]
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
firewalld
ssh
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
Banner /etc/issue.net
PrintLastLog
PrintLastLog yes
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
Include /etc/ssh/sshd_config.d/*.conf
/etc/ssh/sshd_config.d
UsePrivilegeSeparation
KexAlgorithms
MACs
X11UseLocalhost
yes
X11UseLocalhost yes