LOW L1: SSHD LogLevel P4
Overview
This remediation configures the SSH daemon logging level to INFO, ensuring adequate logging of SSH connections and authentication events.
Settings
| Setting | Value | Description |
|---|---|---|
LogLevel |
INFO |
Set SSH logging to INFO level |
Log Level Options
| Level | Description |
|---|---|
QUIET |
Minimal logging |
FATAL |
Only fatal errors |
ERROR |
Errors only |
INFO |
Informational messages (recommended) |
VERBOSE |
Detailed logging |
DEBUG |
Debug information (not for production) |
Implementation
The remediation applies a MachineConfig with SSHD logging configuration:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-sshd-low
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/ssh/sshd_config.d/75-low-hardening.conf
mode: 0600
overwrite: true
contents:
inline: |
# LOW severity SSHD settings
LogLevel INFO
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-sshd-set-loglevel-info |
E8 | 📖 |
rhcos4-e8-master-sshd-set-loglevel-info |
E8 | 📖 |
Source Remediation Files
- low/rhcos4-e8-worker-sshd-set-loglevel-info.yaml
- low/rhcos4-e8-master-sshd-set-loglevel-info.yaml
Verification
After applying the MachineConfig, verify SSHD logging:
oc debug node/<node-name> -- chroot /host sshd -T | grep loglevel
# Expected output: loglevel INFO
Related SSHD Groups
Other SSHD hardening groups:
- H3: SSHD Empty Passwords - HIGH severity (in progress)
- M1: SSHD Configuration - MEDIUM severity (pending)