documentation_complete: true

title: 'Verify Permissions on SSH Server Private *_key Key Files'

{{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}

{{% if product in ["ol9", "rhcos4", "sle12", "sle15", "slmicro5", "slmicro6"] %}}
{{# CoreOS is special - it is immutable, so it is more predictable, and it uses the dedicated group as key owner by default #}}
{{% set perms = "-rw-r-----" %}}
{{% set perms_num = "0640" %}}
{{% else %}}
{{% set perms = "-rw-------" %}}
{{% set perms_num = "0600" %}}
{{% endif %}}

description: |-
    SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions.
    If those files are owned by the <code>root</code> user and the <code>root</code> group, they have to have the <code>{{{ perms_num }}}</code> permission or stricter.
    {{% if dedicated_ssh_groupname -%}}
    If they are owned by the <code>root</code> user, but by a dedicated group <code>{{{ dedicated_ssh_groupname }}}</code>, they can have the <code>0640</code> permission or stricter.
    {{%- endif %}}

rationale: |-
    If an unauthorized user obtains the private SSH host key file, the host could be
    impersonated.

severity: medium

identifiers:
    cce@rhel8: CCE-82424-3
    cce@rhel9: CCE-90820-2
    cce@rhel10: CCE-88018-7
    cce@sle12: CCE-83058-8
    cce@sle15: CCE-85644-3
    cce@slmicro5: CCE-93751-6
    cce@slmicro6: CCE-95070-9 

references:
    cis-csc: 12,13,14,15,16,18,3,5
    cis@sle12: 5.2.2
    cis@sle15: 5.2.2
    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
    cui: 3.1.13,3.13.10
    isa-62443-2009: 4.3.3.7.3
    isa-62443-2013: 'SR 2.1,SR 5.2'
    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
    nist: AC-17(a),CM-6(a),AC-6(1)
    nist-csf: PR.AC-4,PR.DS-5
    pcidss: Req-2.2.4
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-040420
    stigid@ol8: OL08-00-010490
    stigid@sle12: SLES-12-030220
    stigid@sle15: SLES-15-040250

ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms=perms) }}}'

ocil: |-
    {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms=perms) }}}

fixtext: '{{{ srg_requirement_file_permission(file="/etc/ssh/*_key", mode=perms_num) }}}'

srg_requirement: 'The {{{ full_namne }}} SSH private host key files must have mode {{{ perms_num }}} or less permissive.'

warnings:
    - general: |-
        Remediation is not possible at bootable container build time because SSH host
        keys are generated post-deployment.

platform: system_with_kernel