Set LogLevel to INFO
An XCCDF Rule
Description
The INFO parameter specifices that record login and logout activity will be logged.
The default SSH configuration sets the log level to INFO. The appropriate
configuration is used if no value is set for LogLevel
.
To explicitly specify the log level in SSH, add or correct the following line in
/etc/ssh/sshd_config
:
LogLevel INFO
Rationale
SSH provides several logging levels with varying amounts of verbosity. DEBUG
is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO
level is the
basic level that only records login activity of SSH users. In many situations, such as Incident
Response, it is important to determine when a particular user was active on a system. The
logout record can eliminate those users who disconnected, which helps narrow the field.
- ID
- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
- Severity
- Low
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
Remediation - Ansible
- name: Set LogLevel to INFO
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd_config