Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should sshd-13 check for INFO instead of VERBOSE? #127

Open
shoekstra opened this issue Apr 15, 2019 · 7 comments
Open

Should sshd-13 check for INFO instead of VERBOSE? #127

shoekstra opened this issue Apr 15, 2019 · 7 comments

Comments

@shoekstra
Copy link

Hi,

I've been running the ssh-baseline for sometime and recently ran the CentOS 7 CIS-1 baseline and the xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO control fails:

×  xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_SSH_LogLevel_is_set_to_INFO: Ensure SSH LogLevel is set to INFO
   ×  SSHD Configuration LogLevel should eq "INFO"

   expected: "INFO"
        got: "VERBOSE"

   (compared using ==)

This baseline recommends setting it to VERBOSE; should sshd-13 be updated to check for INFO instead?

Stephen
@chris-rock
Copy link
Member

@atomic111 What do you think? At this point we set this to VERBOSE

ssh-baseline/controls/sshd_spec.rb

Line 166 in d2e1fe0

title 'Server: Specify LogLevel to VERBOSE'
to track potential attacks later. I agree with @shoekstra to align this baseline with CIS and STIG?

@atomic111
Copy link
Member

@shoekstra you are right the CIS recommends to set it Info, but from a security point of view, it is better to set it to verbose, because then you see more possible attacks on ssh. I prefer checking for Verbose

@artem-sidorenko
Copy link
Member

as far I can remember one of important differences was related to the fingerprints of logged-in keys: none in info but in verbose. Can somebody confirm that?

We can also accept both options in the baseline...

@artem-sidorenko
Copy link
Member

yeah: https://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account#15586

@chris-rock
Copy link
Member

We could make this an attribute and leave the default to verbose. This would allow other users to change their default if they need to.

@artem-sidorenko
Copy link
Member

@chris-rock sounds good to me as well.

Another option might be like:

its('LogLevel') { should match(/^VERBOSE|INFO$/) }

@micheelengronne
Copy link
Member

I think a common attribute between the 2 profiles should do the trick. The default value is set on VERBOSE for this profile and INFO for the CIS one.

That way, there is no regression on any profile and a user can make them compatible by just setting the attribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@chris-rock @artem-sidorenko @shoekstra @atomic111 @micheelengronne