sshd_config with false positives #303
Description
I randomly get reports from people using a CIS scanner for compliance "hey, you don´t have this feature dis/enabled but you should!". I realize that testers are to blame (a tool with a fool is still a fool) but OTOH it causes trouble for management.
Thus the following suggestions
- If Debian version X has feature Y enabled or disabled per default AND it cannot be found uncommented : it's fine
- parse the manpage
sshd_config(5)and try to finde the default . Most often it's the last sentence in that indented section which say which the default is. Use this then for a decision. - use
/usr/bin/sshd -T | grep -i <yourkey>. It still doesn't honorMatch Userand the like