Detections
Analytics

4.2.2.2 Ensure logging is configured

Information

The /etc/syslog-ng/syslog-ng.conf file specifies rules for logging and which files are to be used to log certain classes of messages. A great deal of important security-related information is sent via syslog-ng (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Edit the log lines in the /etc/syslog-ng/syslog-ng.conf file as appropriate for yourenvironment:
 log { source(src); source(chroots); filter(f_console); destination(console); };
 log { source(src); source(chroots); filter(f_console); destination(xconsole); };
 log { source(src); source(chroots); filter(f_newscrit); destination(newscrit); };
 log { source(src); source(chroots); filter(f_newserr); destination(newserr); };
 log { source(src); source(chroots); filter(f_newsnotice); destination(newsnotice); };
 log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); };
 log { source(src); source(chroots); filter(f_mailwarn); destination(mailwarn); };
 log { source(src); source(chroots); filter(f_mailerr); destination(mailerr); };
 log { source(src); source(chroots); filter(f_mail); destination(mail); };
 log { source(src); source(chroots); filter(f_acpid); destination(acpid); flags(final); };
 log { source(src); source(chroots); filter(f_acpid_full); destination(devnull); flags(final); };
 log { source(src); source(chroots); filter(f_acpid_old); destination(acpid); flags(final); };
 log { source(src); source(chroots); filter(f_netmgm); destination(netmgm); flags(final); };
 log { source(src); source(chroots); filter(f_local); destination(localmessages); };
 log { source(src); source(chroots); filter(f_messages); destination(messages); };
 log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
 log { source(src); source(chroots); filter(f_warn); destination(warn); };

 Run the following command to restart syslog-ng: # pkill -HUP syslog-ng

See Also

https://workbench.cisecurity.org/files/1866

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|6.2

Plugin: Unix

Control ID: 88d62b914c880da39fe8cc4eda410d2079e1cf41f3bd991776cbf2087e7ddac9