Rule ID
SV-282383r1200129_rule
Version
V1R1
CCIs
SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended, other than strictly for debugging SSH communications, because it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level are the basic levels that only record SSH user login activity. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
Verify TOSS 5 logs SSH connection attempts and failures to the server.
Verify what the SSH daemon's "LogLevel" option is set to using the following command:
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel'
LogLevel VERBOSE
If a value of "VERBOSE" is not returned or the line is commented out or missing, this is a finding.Configure TOSS 5 to log connection attempts add or modify the following line in "/etc/ssh/sshd_config": LogLevel VERBOSE Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service