Enable Use of Strict Mode Checking
An XCCDF Rule
Description
SSHs StrictModes
option checks file and ownership permissions in
the user's home directory .ssh
folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes
enabled. The appropriate
configuration is used if no value is set for StrictModes
.
To explicitly enable StrictModes
in SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
:
StrictModes yes
Rationale
If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.
- ID
- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Enable Use of Strict Mode Checking
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf