A systems engineer asks a generative-AI assistant to suggest hardening changes for a new Linux bastion host that must pass a CIS Level-1 SSH audit. The tool replies with four separate recommendations: set "PermitRootLogin" to "no", raise "LoginGraceTime" to 300, set "PasswordAuthentication" to "yes", and set "AllowTcpForwarding" to "yes".
Which single recommendation should you accept without modification to improve compliance?
Add "PermitRootLogin no" to /etc/ssh/sshd_config
Increase "LoginGraceTime" to 300 seconds
Set "PasswordAuthentication yes" to allow fallback to passwords
Enable "AllowTcpForwarding yes" for troubleshooting tunnels
Disabling direct SSH access for the root account is required by both CIS Benchmarks and DISA STIGs. Accepting the suggestion to set "PermitRootLogin no" satisfies that control and enhances accountability by forcing administrators to use named accounts and sudo. The other three proposals would break compliance: a 300-second LoginGraceTime exceeds the 60-second maximum, enabling password authentication re-introduces weaker credential methods that the benchmark seeks to eliminate, and allowing TCP forwarding is explicitly called out as a Level-2 finding. Consequently, the only recommendation that actually advances compliance is disabling remote root logins.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does disabling 'PermitRootLogin' improve security?
Open an interactive chat with Bash
Why is a 'LoginGraceTime' of 300 seconds non-compliant with CIS Level-1 standards?
Open an interactive chat with Bash
Why is 'PasswordAuthentication yes' considered a security risk?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Automation, Orchestration, and Scripting
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access