Skip to content

Enable Use of Strict Mode Checking

An XCCDF Rule

Description

SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

StrictModes yes

Rationale

If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.

ID
xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
Severity
Medium
References
Updated



Remediation - Ansible

- name: Enable Use of Strict Mode Checking
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf