Enable the OpenSSH Service

An XCCDF Rule

Description

The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:

$ sudo systemctl enable sshd.service

Rationale

Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

ID: xccdf_org.ssgproject.content_rule_service_sshd_enabled
Severity: Medium
References: 13 14

APO01.06 DSS05.02 DSS05.04 DSS05.07 DSS06.02 DSS06.06

3.1.13 3.13.8 3.5.4

CCI-002418 CCI-002420 CCI-002421 CCI-002422

SR 3.1 SR 3.8 SR 4.1 SR 4.2 SR 5.2

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CM-6(a) SC-8 SC-8(1) SC-8(2) SC-8(3) SC-8(4)

PR.DS-2 PR.DS-5

SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188 SRG-OS-000425-GPOS-00189 SRG-OS-000426-GPOS-00190

SLES-15-010530

CCE-83297-2

SV-234860r916422_rule
Updated: about 1 year ago


[customizations.services]
enabled = ["sshd"]

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'sshd.service'
"$SYSTEMCTL_EXEC" start 'sshd.service'"$SYSTEMCTL_EXEC" enable 'sshd.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Enable service sshd
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto
  - name: Enable service sshd
    systemd:
      name: sshd
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"openssh" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83297-2
  - DISA-STIG-SLES-15-010530
  - NIST-800-171-3.1.13
  - NIST-800-171-3.13.8
  - NIST-800-171-3.5.4
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-8
  - NIST-800-53-SC-8(1)
  - NIST-800-53-SC-8(2)
  - NIST-800-53-SC-8(3)
  - NIST-800-53-SC-8(4)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_sshd_enabled

include enable_sshd

class enable_sshd {
  service {'sshd':
    enable => true,
    ensure => 'running',  }
}

Enable the OpenSSH Service

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Shell Script

Remediation - Ansible

Remediation - Puppet