Profile Applicability:
• Level 1
Description:
The /etc/ssh/sshd_config file contains the configuration settings for the OpenSSH daemon (sshd), which controls SSH server behavior. Proper permissions on this file prevent unauthorized users from modifying SSH server configurations, which could lead to unauthorized access, privilege escalation, or system compromise.
Rationale:
Securing the sshd_config file protects the integrity of SSH configurations, ensuring that only trusted administrators can alter SSH access policies. Misconfigured permissions could allow attackers to weaken SSH security or enable backdoor access.
Impact:
Pros:
Protects SSH server configuration from unauthorized changes.
Helps maintain secure remote access policies.
Supports compliance with security standards.
Cons:
Overly restrictive permissions might hinder legitimate administrative tasks if not properly managed.
Default Value:
Permissions may vary by distribution but typically should be restrictive, limiting write access to root only.
Pre-requisites:
Root or sudo privileges to modify file permissions.
Remediation:
Test Plan:
Using Linux command line:
1. Check current permissions on /etc/ssh/sshd_config:
ls -l /etc/ssh/sshd_config
2. Verify ownership and permissions, which should typically be:
Owner: root
Group: root
Permissions: 600 or 644 depending on policy
Implementation Plan:
Using Linux command line:
1. Set ownership to root:root
chown root:root /etc/ssh/sshd_config
2. Set permissions to 600 (read/write for owner only):
chmod 600 /etc/ssh/sshd_config
3. Verify updated permissions:
ls -l /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
1. Restore previous ownership and permissions if necessary:
chown <previous_owner>:<previous_group> /etc/ssh/sshd_config chmod <previous_permissions> /etc/ssh/sshd_config
2. Verify restoration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0 — https://www.cisecurity.org/benchmark/amazon_linux/
Linux chmod Manual — https://man7.org/linux/man-pages/man1/chmod.1.html
OpenSSH sshd_config Manual — https://man.openbsd.org/sshd_config
NIST SP 800-53 Revision 5 - CM-5 Configuration Management — https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final