← Rules Catalog
lowaccess-controlverified rollback-safe

Set SSH log level to VERBOSE

ssh-log-level · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must log authentication events at the VERBOSE level. VERBOSE logging records additional details including the public key fingerprint used for each login, which is essential for determining which key was used when multiple keys are authorized for an account.

Rationale

At the default INFO level, sshd does not log which specific key was used for public key authentication. An attacker who has compromised one of several authorized keys for an account would be indistinguishable in the logs. VERBOSE logging records the key fingerprint, enabling forensic identification of compromised credentials.

Check → Remediate

Checksshd_effective_config
key:
loglevel
expected:
VERBOSE
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
LogLevel
value:
VERBOSE
separator:
reload:
sshd

Framework references

CIS

rhel10 5.1.14rhel8 5.1.16rhel9 5.1.15

STIG

V-281115 / RHEL-10-500215V-257982 / RHEL-09-255030

NIST 800-53

AU-3AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#logging#audit