Verify Ownership on SSH Server Public *.pub Key Files
An XCCDF Rule
Description
SSH server public keys, files that match the /etc/ssh/*.pub
glob, must be owned
by root
user.
Rationale
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
- ID
- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Find /etc/ssh/ file(s) matching ^.*\.pub$
command: find -H /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.pub$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
find /etc/ssh/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.pub$' -exec chown 0 {} \;
else