Disable SSH Server If Possible

An XCCDF Rule

Description

The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.

ID: xccdf_org.ssgproject.content_rule_service_sshd_disabled
Severity: High
References: CM-3(6) IA-2(4)

SRG-APP-000141-CTR-000315 SRG-APP-000185-CTR-000490
Updated: over 1 year ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'sshd.service'
"$SYSTEMCTL_EXEC" disable 'sshd.service'
"$SYSTEMCTL_EXEC" mask 'sshd.service'# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files sshd.socket; then
    "$SYSTEMCTL_EXEC" stop 'sshd.socket'
    "$SYSTEMCTL_EXEC" mask 'sshd.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-3(6)
  - NIST-800-53-IA-2(4)  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_sshd_disabled
- name: Disable SSH Server If Possible - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-3(6)
  - NIST-800-53-IA-2(4)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_sshd_disabled

- name: Disable SSH Server If Possible - Ensure sshd.service is Masked
  ansible.builtin.systemd:
    name: sshd.service
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - service_exists.stdout_lines is search("sshd.service", multiline=True)
  tags:
  - NIST-800-53-CM-3(6)
  - NIST-800-53-IA-2(4)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_sshd_disabled

- name: Unit Socket Exists - sshd.socket
  ansible.builtin.command: systemctl -q list-unit-files sshd.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-3(6)
  - NIST-800-53-IA-2(4)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_sshd_disabled

- name: Disable SSH Server If Possible - Disable Socket sshd
  ansible.builtin.systemd:
    name: sshd.socket
    enabled: false
    state: stopped
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("sshd.socket", multiline=True)
  tags:
  - NIST-800-53-CM-3(6)
  - NIST-800-53-IA-2(4)
  - disable_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_sshd_disabled

service disable sshd

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: sshd.service
        enabled: false
        mask: true
      - name: sshd.socket
        enabled: false
        mask: true

include disable_sshd
class disable_sshd {
  service {'sshd':
    enable => false,
    ensure => 'stopped',
  }
}

[customizations.services]
masked = ["sshd"]

Disable SSH Server If Possible

Description

Remediation Templates

A Shell Script

An Ansible Snippet

script:kickstart

A Kubernetes Patch

A Puppet Snippet

OS Build Blueprint