An XCCDF Group - A logical subset of the XCCDF Benchmark
sshd
openssh-server
$ sudo dnf install openssh-server
$ sudo dnf erase openssh-server
/etc/ssh/sshd_config
$ sudo chgrp root /etc/ssh/sshd_config
/etc/ssh/*_key
ssh_keys
/etc/ssh/*.pub
root
$ sudo chown root /etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
0600
0640
$ sudo chmod 0644 /etc/ssh/*.pub
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
~/.ssh
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
RekeyLimit
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
Include /etc/ssh/sshd_config.d/*.conf
/etc/ssh/sshd_config.d
UsePrivilegeSeparation
/etc/sysconfig/sshd
SSH_USE_STRONG_RNG
SSH_USE_STRONG_RNG=32
X11UseLocalhost
yes
X11UseLocalhost yes
netwk
mask
ip_protocol
firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'