You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently /etc/ssh/sshd_config is being used as source of truth for checking if ssh server is configured correctly according to the CIS benchmarks.
Issue with using /etc/ssh/sshd_config as source of truth:
When we use default config options for some keywords, they are not required to be explicitly added in the /etc/ssh/sshd_config file. This is where wazuh rulesets fails to check if that configuration option set correctly corresponding to that keyword or not.
Example.
If the below configuration options are not added to the /etc/ssh/sshd_config, the CIS benchmark checks corresponding to them start failing. Although these are the default values (valid with CIS benchmarks) and are not required to be explicitly mentioned in the /etc/ssh/sshd_config.
PermitEmptyPasswords no
HostbasedAuthentication no
IgnoreRhosts yes
Default values reference:
PermitEmptyPasswords
When password authentication is allowed, it specifies
whether the server allows login to accounts with empty
password strings. The default is no.
HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication
together with successful public key client host
authentication is allowed (host-based authentication). The
default is no.
IgnoreRhosts
Specifies whether to ignore per-user .rhosts and .shosts
files during HostbasedAuthentication. The system-wide
/etc/hosts.equiv and /etc/shosts.equiv are still used
regardless of this setting.
Accepted values are yes (the default) to ignore all per-
user files, shosts-only to allow the use of .shosts but to
ignore .rhosts or no to allow both .shosts and rhosts.
Reliable way of checking sshd_config CIS benchmarks: Regex based checks on command output of sshd -T can be used as reliable source of truth as it provides all configuration option set for the sshd_config even if they are the default values.
The text was updated successfully, but these errors were encountered:
Currently
/etc/ssh/sshd_configis being used as source of truth for checking if ssh server is configured correctly according to the CIS benchmarks.Issue with using
/etc/ssh/sshd_configas source of truth:When we use default config options for some keywords, they are not required to be explicitly added in the
/etc/ssh/sshd_configfile. This is where wazuh rulesets fails to check if that configuration option set correctly corresponding to that keyword or not.Example.
If the below configuration options are not added to the
/etc/ssh/sshd_config, the CIS benchmark checks corresponding to them start failing. Although these are the default values (valid with CIS benchmarks) and are not required to be explicitly mentioned in the/etc/ssh/sshd_config.Default values reference:
ref: https://man7.org/linux/man-pages/man5/sshd_config.5.html
Reliable way of checking sshd_config CIS benchmarks: Regex based checks on command output of
sshd -Tcan be used as reliable source of truth as it provides all configuration option set for the sshd_config even if they are the default values.The text was updated successfully, but these errors were encountered: