Skip to content

Disable SSH Server If Possible

An XCCDF Rule

Description

The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access.

ID
xccdf_org.ssgproject.content_rule_service_sshd_disabled
Severity
High
References
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["sshd"]

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'sshd.service'
"$SYSTEMCTL_EXEC" disable 'sshd.service'

Remediation - Kubernetes Patch

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0

Remediation - Ansible

- name: Block Disable service sshd
  block:

  - name: Disable service sshd
    block:


Remediation - Puppet

include disable_sshd

class disable_sshd {
  service {'sshd':
    enable => false,
    ensure => 'stopped',