Merge pull request #200 from rediculum/master

Add attribute for sftp subsystem logging
dev-sec · Oct 8, 2018 · 6969459 · 6969459
2 parents e99a3bf + dee3969
commit 6969459
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -114,6 +114,7 @@
 
   # sshd sftp options
   server['sftp']['enable']                  = false
+  server['sftp']['log_level']               = 'VERBOSE'
   server['sftp']['group']                   = 'sftponly'
   server['sftp']['chroot']                  = '/home/%u'
   server['sftp']['password_authentication'] = false

diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -214,11 +214,11 @@ AcceptEnv <%= @node['ssh-hardening']['ssh']['server']['accept_env'].join(' ') %>
 # Configuration, in case SFTP is used
 ## override default of no subsystems
 ## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
-Subsystem sftp internal-sftp -l VERBOSE
+Subsystem sftp internal-sftp -l <%= @node['ssh-hardening']['ssh']['server']['sftp']['log_level'] %>
 
 ## These lines must appear at the *end* of sshd_config
 Match Group <%= @node['ssh-hardening']['ssh']['server']['sftp']['group'] %>
-ForceCommand internal-sftp -l VERBOSE
+ForceCommand internal-sftp -l <%= @node['ssh-hardening']['ssh']['server']['sftp']['log_level'] %>
 ChrootDirectory <%= @node['ssh-hardening']['ssh']['server']['sftp']['chroot'] %>
 AllowTcpForwarding no
 AllowAgentForwarding no