Distribute the SSH Server configuration to multiple files in a config directory.
An XCCDF Rule
Description
Make sure to have the Include /etc/ssh/sshd_config.d/*.conf
line in the /etc/ssh/sshd_config
file.
Ideally, don't have any active configuration directives in that file, and distribute the service configuration
to several files in the /etc/ssh/sshd_config.d
directory.
Rationale
This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the /etc/ssh/sshd_config.d
config directory are effective, there has to be a rule that ensures this.
Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.
- ID
- xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if test -f /etc/ssh/sshd_config.d/sshd_config_original.conf; then
printf '%s\n' "Remediation probably already happened, '/etc/ssh/sshd_config.d/sshd_config_original.conf' already exists, not doing anything." >&2
false 1