8.2 Configure a Logging File Channel - category dnssec

Information

To capture logs to a local file, setup a channel for the file, in the logging configuration section. It's often helpful to have one log file for security related logs, and a second one with a dynamic severity level to be used as needed for debugging.

Rationale:

Logging security related events is critical for monitoring the security of the server in order to see any issues affecting the server, and to be able to respond to attacks.

Solution

In named.conf, configure a channel for a local security log file with the categories config,

dnssec, network, security, updates, xfer-in and xfer-out. The local log file will be within the chroot directory.

logging {
. . .
channel local_security_log {
file "/var/run/named/secure.log" versions 10 size 20m;
severity debug;
print-time yes;
};
// Config file processing
category config { local_security_log; };
// Processing signed responses
category dnssec { local_security_log; };
// Network Operations
category network { local_security_log; };
// Approved or unapproved requests
category security { local_security_log; };
// dynamic updates
category update { local_security_log; };
// transfers to the name server
category xfer-in { local_security_log; };
// transfers from the name server
category xfer-out { local_security_log; };
// Optional debug log file, may be enabled dynamically.
channel local_debug_log {
file "/var/run/named/debug.log";
severity dynamic;
print-time yes;
};
category default { local_debug_log; };
category general { local_debug_log; };
};

Default Value:

There is no security log by default.

See Also

https://workbench.cisecurity.org/files/1735

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|6.2

Plugin: Unix

Control ID: b7fe898f2142bd329206b15f7ca3845350e12d5e72a25ffba3b14a9a21b360e6