Verify Permissions on SSH Server Private *_key Key Files

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

for keyfile in /etc/ssh/\*\_key; do
 test -f "$keyfile" || continue
 if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then
 
 chmod u-xs,g-xwrs,o-xwrt "$keyfile"
 
 
 else
 echo "Key-like file '$keyfile' is owned by an unexpected user:group combination"
 fi
done

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Find root:root-owned keys
 ansible.builtin.command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".\*\_key$"
 -type f -group root -perm /u+xs,g+xwrs,o+xwrt
 register: root\_owned\_keys
 changed\_when: false
 failed\_when: false
 check\_mode: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.1.13
 - NIST-800-171-3.13.10
 - NIST-800-53-AC-17(a)
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-2.2.4
 - PCI-DSSv4-2.2.6
 - configure\_strategy
 - file\_permissions\_sshd\_private\_key
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Set permissions for root:root-owned keys
 ansible.builtin.file:
 path: '{{ item }}'
 mode: u-xs,g-xwrs,o-xwrt
 state: file
 with\_items:
 - '{{ root\_owned\_keys.stdout\_lines }}'
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.1.13
 - NIST-800-171-3.13.10
 - NIST-800-53-AC-17(a)
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-2.2.4
 - PCI-DSSv4-2.2.6
 - configure\_strategy
 - file\_permissions\_sshd\_private\_key
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed