--- title: Verify Group Who Owns SSH Server Configuration Files description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Verify Group Who Owns SSH Server Configuration Files --- # Verify Group Who Owns SSH Server Configuration Files ## Description{% #description %} To properly set the group owner of files in `/etc/ssh/sshd_config.d`, run the command: ``` find -H /etc/ssh/sshd_config.d -type d -exec chgrp -L root {} \; ``` ## Rationale{% #rationale %} Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes. ## Remediation{% #remediation %} ### Shell script{% #shell-script %} The following script can be run on the host to remediate the issue. ```bash #!/bin/bash # Remediation is applicable only in certain platforms if rpm --quiet -q kernel-core; then newgroup="" if getent group "0" >/dev/null 2>&1; then newgroup="0" fi if [[ -z "${newgroup}" ]]; then >&2 echo "0 is not a defined group on the system" else find -P /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp --no-dereference "$newgroup" {} \; fi else >&2 echo 'Remediation is not applicable, nothing was done' fi ``` ### Ansible playbook{% #ansible-playbook %} The following playbook can be run with Ansible to remediate the issue. ```gdscript3 - name: Gather the package facts package_facts: manager: auto tags: - CCE-86254-0 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_drop_in_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Set the file_groupowner_sshd_drop_in_config_newgroup variable if represented by gid ansible.builtin.set_fact: file_groupowner_sshd_drop_in_config_newgroup: '0' when: '"kernel-core" in ansible_facts.packages' tags: - CCE-86254-0 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_drop_in_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Find /etc/ssh/sshd_config.d/ file(s) matching ^.*$ ansible.builtin.command: find -P /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex "^.*$" register: files_found changed_when: false failed_when: false check_mode: false when: '"kernel-core" in ansible_facts.packages' tags: - CCE-86254-0 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_drop_in_config - low_complexity - low_disruption - medium_severity - no_reboot_needed - name: Ensure group owner on /etc/ssh/sshd_config.d/ file(s) matching ^.*$ ansible.builtin.file: path: '{{ item }}' follow: false group: '{{ file_groupowner_sshd_drop_in_config_newgroup }}' state: file with_items: - '{{ files_found.stdout_lines }}' when: '"kernel-core" in ansible_facts.packages' tags: - CCE-86254-0 - NIST-800-53-AC-17(a) - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - configure_strategy - file_groupowner_sshd_drop_in_config - low_complexity - low_disruption - medium_severity - no_reboot_needed ```