Disable SSH Server If Possible
An XCCDF Rule
Description
The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.
- ID
- xccdf_org.ssgproject.content_rule_service_sshd_disabled
- Severity
- High
- Updated
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["sshd"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'sshd.service'
"$SYSTEMCTL_EXEC" disable 'sshd.service'
Remediation - Kubernetes Patch
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
Remediation - Ansible
- name: Block Disable service sshd
block:
- name: Disable service sshd
block:
Remediation - Puppet
include disable_sshd
class disable_sshd {
service {'sshd':
enable => false,
ensure => 'stopped',