Improve Acrolinx score

Author: timwarner-msft

articles/governance/policy/samples/guest-configuration-baseline-linux.md

@@ -152,9 +152,9 @@ For more information, see [Azure Policy guest configuration](../concepts/guest-c
 |Root login via SSH should be disabled. - '/etc/ssh/sshd_config PermitRootLogin = no'<br /><sub>(109)</sub> |Description: An attacker could brute force the root password, or hide their command history by logging in directly as root |Run the command '/usr/local/bin/azsecd remediate -r disable-ssh-root-login'. This will add the line 'PermitRootLogin no' to the file '/etc/ssh/sshd_config' |
 |Remote connections from accounts with empty passwords should be disabled. - '/etc/ssh/sshd_config PermitEmptyPasswords = no'<br /><sub>(110)</sub> |Description: An attacker could gain access through password guessing |Run the command '/usr/local/bin/azsecd remediate (/opt/microsoft/omsagent/plugin/omsremediate) -r disable-ssh-empty-passwords'. This will add the line 'PermitEmptyPasswords no' to the file '/etc/ssh/sshd_config' |
 |Ensure SSH Idle Timeout Interval is configured.<br /><sub>(110.1)</sub> |Description: Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session. Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for `ClientAliveCountMax` is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent. |Edit the /etc/ssh/sshd_config file to set the parameters according to the policy |
-|Ensure SSH LoginGraceTime is set to one minute or less.<br /><sub>(110.2)</sub> |Description: Setting the `LoginGraceTime` parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. |Edit the /etc/ssh/sshd_config file to set the parameters according to the policy  or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-login-grace-time' |
+|Ensure SSH LoginGraceTime is set to one minute or less.<br /><sub>(110.2)</sub> |Description: Setting the `LoginGraceTime` parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. This setting also limits the number of concurrent unauthenticated connections. While the recommended setting is 60 seconds, you should set the number based on your site policy. |Edit the /etc/ssh/sshd_config file to set the parameters according to the policy  or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-login-grace-time' |
 |Ensure only approved MAC algorithms are used<br /><sub>(110.3)</sub> |Description: MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information |Edit the /etc/sshd_config file and add/modify the MACs line to contain a comma separated list of the approved MACs  or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-macs' |
-|Ensure remote login warning banner is configured properly.<br /><sub>(111)</sub> |Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the `uname -a`command once they have logged in. |Remove any instances of \m \r \s and \v from the /etc/issue.net file |
+|Ensure remote login warning banner is configured properly.<br /><sub>(111)</sub> |Description: Warning messages inform users signing into the system of their legal status. The system must include the name of the owning organization as well as any active monitoring policies. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the `uname -a`command once they have logged in. |Remove any instances of \m \r \s and \v from the /etc/issue.net file |
 |Ensure local login warning banner is configured properly.<br /><sub>(111.1)</sub> |Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the `uname -a`command once they have logged in. |Remove any instances of \m \r \s and \v from the /etc/issue file |
 |SSH warning banner should be enabled. - '/etc/ssh/sshd_config Banner = /etc/issue.net'<br /><sub>(111.2)</sub> |Description: Users will not be warned that their actions on the system are monitored |Run the command '/usr/local/bin/azsecd remediate -r configure-ssh-banner'. This will add the line 'Banner /etc/azsec/banner.txt' to the file '/etc/ssh/sshd_config' |
 |Users are not allowed to set environment options for SSH.<br /><sub>(112)</sub> |Description: An attacker may be able to bypass some access restrictions over SSH |Remove the line 'PermitUserEnvironment yes' from the file '/etc/ssh/sshd_config' |