InformationFor an image using stackdriver, the /etc/stackdriver/logging.config.d/*.conf files specifies rules for logging and which files are to be used to log certain classes of messages. An image using fluent-bit uses /usr/share/fluent-bit/fluent-bit.conf for the same purpose.
A great deal of important security-related information is sent via logging (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
SolutionEdit the contents of /etc/stackdriver/logging.config.d/*.conf if using an image with stackdriver or /usr/share/fluent-bit/fluent-bit.conf if using an image with fluent-bit as appropriate for your environment.
Then run the following commands to reload the logging configuration:
# systemctl restart stackdriver-logging
# systemctl restart fluent-bit
/etc is stateless on Container-Optimized OS. Therefore, /etc cannot be used to make these changes persistent across reboots. The steps mentioned above need to be performed after every boot for images using stackdriver. This is not the case for fluent-bit as the logging agent is in /usr/share/ which isn't stateless so changes will be persistent across reboots.