lowaccess-controlverified ✓rollback-safe
Set SSH log level to VERBOSE
ssh-log-level · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must log authentication events at the VERBOSE level. VERBOSE logging records additional details including the public key fingerprint used for each login, which is essential for determining which key was used when multiple keys are authorized for an account.
Rationale
At the default INFO level, sshd does not log which specific key was used for public key authentication. An attacker who has compromised one of several authorized keys for an account would be indistinguishable in the logs. VERBOSE logging records the key fingerprint, enabling forensic identification of compromised credentials.
Check → Remediate
Checksshd_effective_config
- key:
- loglevel
- expected:
- VERBOSE
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- LogLevel
- value:
- VERBOSE
- separator:
- reload:
- sshd
Framework references
CIS
rhel10 5.1.14rhel8 5.1.16rhel9 5.1.15
STIG
V-281115 / RHEL-10-500215V-257982 / RHEL-09-255030
NIST 800-53
AU-3AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#logging#audit