Open shoekstra opened 5 years ago
chris-rock
commented
5 years ago @atomic111 What do you think? At this point we set this to VERBOSE https://github.com/dev-sec/ssh-baseline/blob/d2e1fe01ad88b0990081f9eb6a3884f3dff11baa/controls/sshd_spec.rb#L166 to track potential attacks later. I agree with @shoekstra to align this baseline with CIS and STIG?
atomic111
commented
5 years ago @shoekstra you are right the CIS recommends to set it Info, but from a security point of view, it is better to set it to verbose, because then you see more possible attacks on ssh. I prefer checking for Verbose
artem-sidorenko
commented
5 years ago as far I can remember one of important differences was related to the fingerprints of logged-in keys: none in info but in verbose. Can somebody confirm that?
We can also accept both options in the baseline...
artem-sidorenko
commented
5 years ago chris-rock
commented
5 years ago We could make this an attribute and leave the default to verbose. This would allow other users to change their default if they need to.
artem-sidorenko
commented
5 years ago @chris-rock sounds good to me as well.
Another option might be like:
its('LogLevel') { should match(/^VERBOSE|INFO$/) }
micheelengronne
commented
4 years ago I think a common attribute between the 2 profiles should do the trick. The default value is set on VERBOSE for this profile and INFO for the CIS one.
That way, there is no regression on any profile and a user can make them compatible by just setting the attribute.
Hi,
I've been running the ssh-baseline for sometime and recently ran the CentOS 7 CIS-1 baseline and the
xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFOcontrol fails:This baseline recommends setting it to
VERBOSE; shouldsshd-13be updated to check forINFOinstead?Stephen