Check: UBTU-16-030310
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-030310
(in versions v2 r3 through v1 r3)
Title
The SSH public host key files must have mode 0644 or less permissive. (Cat II impact)
Discussion
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Check Content
Verify the SSH public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. The following command will find all SSH public key files on the system: # ls -l /etc/ssh/*.pub -rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub -rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub -rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub If any key.pub file has a mode more permissive than "0644", this is a finding.
Fix Text
Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: # sudo chmod 0644 /etc/ssh/*key.pub The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: # sudo systemctl restart sshd.service
Additional Identifiers
Rule ID: SV-215132r610931_rule
Vulnerability ID: V-215132
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |