4.7.3.3 Ensure sftp-server arguments are configured

Information

The sftp-server is started by the sshd server after authentication has been completed successfully. The process runs with the euid of the authenticated user. The sftp-server does not inherit the logging levels from sshd and they must be configured manually.

SFTP provides several logging levels with varying amounts of verbosity. The DEBUG options are specifically not recommended other than strictly for debugging SSH communications. These levels provide so much data that it is difficult to identify important security information, and may violate the privacy of users.

The INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

The VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments.

Solution

Edit the /etc/ssh/sshd_config to set the sftp arguments as follows:

Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l INFO
- OR -
Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l VERBOSE
- Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
sleep 5
startsrc -s sshd

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: c300bdd8d7bfddf10243d6a4e4063c486222d36cc8a217cf2fd4d6cb2b24bc74