I want to run a quick check on the readability and effectiveness of this SSH hardening policy based on the MITRE ATT&CK framework (T1133) for a Linux system. Here's the basic structure of my endpoint state policy: it ensures secure SSH configuration by disallowing root login, password authentication, and empty passwords. I'm particularly interested in knowing if there are any potential pitfalls or improvements that could be made to ensure it's actually verifying the intended settings and not just relying on comments in the configuration file.
2 Answers
This looks readable and aligns well with T1133, but keep in mind that just checking the sshd_config file doesn't guarantee actual security exposure. It’s wise to treat this as a policy baseline and verify effective settings at runtime (like checking active listeners and authentication logs) to catch any issues that could arise from configuration drift or overrides.
Your current setup might face issues because your 'contains' rules won't differentiate between commented and uncommented lines. For example, if someone has commented out 'PermitRootLogin no' and set it to 'yes', it could lead to false positives. It's best to standardize your SSH configuration to ensure compliance and consider using Infrastructure as Code (IaC) tools for managing configurations consistently.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures