File: rule.yml

package info (click to toggle)

scap-security-guide 0.1.65-1

links: PTS, VCS
area: main
in suites: bookworm
size: 71,936 kB
sloc: xml: 179,374; sh: 69,771; python: 23,819; makefile: 23

file content (63 lines) | stat: -rw-r--r-- 2,085 bytes

documentation_complete: true

title: 'Verify Permissions on SSH Server Public *.pub Key Files'

description: '{{{ describe_file_permissions(file="/etc/ssh/*.pub", perms="0644") }}}'

rationale: |-
    If a public host key file is modified by an unauthorized user, the SSH service
    may be compromised.

severity: medium

identifiers:
    cce@rhel7: CCE-27311-0
    cce@rhel8: CCE-82428-4
    cce@rhel9: CCE-90819-4
    cce@sle12: CCE-83057-0
    cce@sle15: CCE-85643-5

references:
    cis-csc: 12,13,14,15,16,18,3,5
    cis@alinux2: 5.2.4
    cis@alinux3: 5.2.4
    cis@rhel7: 5.3.3
    cis@rhel8: 5.2.3
    cis@sle12: 5.2.3
    cis@sle15: 5.2.3
    cis@ubuntu2004: 5.2.3
    cis@ubuntu2204: 5.2.3
    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
    cui: 3.1.13,3.13.10
    disa: CCI-000366
    isa-62443-2009: 4.3.3.7.3
    isa-62443-2013: 'SR 2.1,SR 5.2'
    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
    nist: AC-17(a),CM-6(a),AC-6(1)
    nist-csf: PR.AC-4,PR.DS-5
    pcidss: Req-2.2.6
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-040410
    stigid@ol8: OL08-00-010480
    stigid@rhel7: RHEL-07-040410
    stigid@rhel8: RHEL-08-010480
    stigid@sle12: SLES-12-030210
    stigid@sle15: SLES-15-040240

ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}'

ocil: |-
    {{{ ocil_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}

fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/*_key.pub", mode="0600") }}}'

srg_requirement: 'The {{{ full_name }}} SSH public host key files must have mode 0644 or less permissive.'

template:
    name: file_permissions
    vars:
        filepath: /etc/ssh/
        missing_file_pass: 'true'
        file_regex: ^.*\.pub$
        filemode: '0644'