ssh-baseline
ssh-baseline copied to clipboard
dev-sec
Should sshd-13 check for INFO instead of VERBOSE?
Hi,
I've been running the ssh-baseline for sometime and recently ran the CentOS 7 CIS-1 baseline and the xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO control fails:
× xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO: Ensure SSH LogLevel is set to INFO
× SSHD Configuration LogLevel should eq "INFO"
expected: "INFO"
got: "VERBOSE"
(compared using ==)
This baseline recommends setting it to VERBOSE; should sshd-13 be updated to check for INFO instead?
Stephen
@atomic111 What do you think? At this point we set this to VERBOSE https://github.com/dev-sec/ssh-baseline/blob/d2e1fe01ad88b0990081f9eb6a3884f3dff11baa/controls/sshd_spec.rb#L166 to track potential attacks later. I agree with @shoekstra to align this baseline with CIS and STIG?
@shoekstra you are right the CIS recommends to set it Info, but from a security point of view, it is better to set it to verbose, because then you see more possible attacks on ssh. I prefer checking for Verbose
as far I can remember one of important differences was related to the fingerprints of logged-in keys: none in info but in verbose. Can somebody confirm that?
We can also accept both options in the baseline...
yeah: https://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account#15586
We could make this an attribute and leave the default to verbose. This would allow other users to change their default if they need to.
@chris-rock sounds good to me as well.
Another option might be like:
its('LogLevel') { should match(/^VERBOSE|INFO$/) }
I think a common attribute between the 2 profiles should do the trick. The default value is set on VERBOSE for this profile and INFO for the CIS one.
That way, there is no regression on any profile and a user can make them compatible by just setting the attribute.
