Open shoekstra opened 5 years ago
@atomic111 What do you think? At this point we set this to VERBOSE https://github.com/dev-sec/ssh-baseline/blob/d2e1fe01ad88b0990081f9eb6a3884f3dff11baa/controls/sshd_spec.rb#L166 to track potential attacks later. I agree with @shoekstra to align this baseline with CIS and STIG?
@shoekstra you are right the CIS recommends to set it Info, but from a security point of view, it is better to set it to verbose, because then you see more possible attacks on ssh. I prefer checking for Verbose
as far I can remember one of important differences was related to the fingerprints of logged-in keys: none in info but in verbose. Can somebody confirm that?
We can also accept both options in the baseline...
We could make this an attribute and leave the default to verbose. This would allow other users to change their default if they need to.
@chris-rock sounds good to me as well.
Another option might be like:
its('LogLevel') { should match(/^VERBOSE|INFO$/) }
I think a common attribute between the 2 profiles should do the trick. The default value is set on VERBOSE
for this profile and INFO
for the CIS one.
That way, there is no regression on any profile and a user can make them compatible by just setting the attribute.
Hi,
I've been running the ssh-baseline for sometime and recently ran the CentOS 7 CIS-1 baseline and the
xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO
control fails:This baseline recommends setting it to
VERBOSE
; shouldsshd-13
be updated to check forINFO
instead?Stephen