Should sshd-13 check for INFO instead of VERBOSE?

[shoekstra]

Hi,

I've been running the ssh-baseline for sometime and recently ran the CentOS 7 CIS-1 baseline and the xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO control fails:

×  xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO: Ensure SSH LogLevel is set to INFO
   ×  SSHD Configuration LogLevel should eq "INFO"

   expected: "INFO"
        got: "VERBOSE"

   (compared using ==)

This baseline recommends setting it to VERBOSE; should sshd-13 be updated to check for INFO instead?

Stephen

[chris-rock]

@atomic111 What do you think? At this point we set this to VERBOSE

ssh-baseline/controls/sshd_spec.rb

Line 166 in d2e1fe0

title 'Server: Specify LogLevel to VERBOSE'

to track potential attacks later. I agree with @shoekstra to align this baseline with CIS and STIG?

[atomic111]

@shoekstra you are right the CIS recommends to set it Info, but from a security point of view, it is better to set it to verbose, because then you see more possible attacks on ssh. I prefer checking for Verbose

[artem-sidorenko]

as far I can remember one of important differences was related to the fingerprints of logged-in keys: none in info but in verbose. Can somebody confirm that?

We can also accept both options in the baseline...

[artem-sidorenko]

yeah: https://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account#15586

[chris-rock]

We could make this an attribute and leave the default to verbose. This would allow other users to change their default if they need to.

[artem-sidorenko]

@chris-rock sounds good to me as well.

Another option might be like:

its('LogLevel') { should match(/^VERBOSE|INFO$/) }

[micheelengronne]

I think a common attribute between the 2 profiles should do the trick. The default value is set on VERBOSE for this profile and INFO for the CIS one.

That way, there is no regression on any profile and a user can make them compatible by just setting the attribute.