Title

RHEL 9 must log SSH connection attempts and failures to the server. (Cat II impact)

Discussion

SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

Check Content

Verify that RHEL 9 logs SSH connection attempts and failures to the server. Check what the SSH daemon's "LogLevel" option is set to with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel' LogLevel VERBOSE If a value of "VERBOSE" is not returned or the line is commented out or missing, this is a finding.

Fix Text

Configure RHEL 9 to log connection attempts add or modify the following line in "/etc/ssh/sshd_config". LogLevel VERBOSE Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-257982r952175_rule

Vulnerability ID: V-257982

Group Title: SRG-OS-000032-GPOS-00013

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.