{"description": "SSH server private keys, files that match the <code>/etc/ssh/*_key</code> glob, must be\ngroup-owned by <code>root</code> group.", "rationale": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.", "severity": "medium", "references": {"anssi": ["R50"]}, "control_references": {"anssi": ["R50"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/ssh/*_key does not have a group owner of\nroot\n", "ocil": "To check the group ownership of <code>/etc/ssh/*_key</code>,\nrun the command:\n<pre>$ ls -lL /etc/ssh/*_key</pre>\nIf properly configured, the output should indicate the following group-owner:\n\n  <code>root</code>\n  ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Remediation is not possible at bootable container build time because SSH host\nkeys are generated post-deployment."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify Group Ownership on SSH Server Private *_key Key Files", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml", "template": {"name": "file_groupowner", "vars": {"filepath": ["/etc/ssh/"], "file_regex": ["^.*_key$"], "gid_or_name": "0"}, "backends": {}}}