RHEL-10-200643 - RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

Information

Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software, introduce misleading information into the system's logs, or fill the system's storage, leading to a denial of service.

If the system is intended to be a log aggregation server, its use must be documented with the information system security officer.

Solution

Configure RHEL 10 to not receive remote logs using rsyslog.

Remove the lines in "/etc/rsyslog.conf" and any files in the "/etc/rsyslog.d" directory that match any of the following:

InputTCPServerRun
UDPServerRun
RELPServerRun
module(load="imtcp")
module(load="imudp")
module(load="imrelp")
input(type="imudp" port="514")
input(type="imtcp" port="514")
input(type="imrelp" port="514")

Restart the rsyslog daemon with the following command for the changes to take effect:

$ sudo systemctl restart rsyslog.service

Item Details

Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Plugin: Unix

Control ID: 016950f2b2e9da6a289ec0e3dc970bb1119034a5d8d7384283bb3ad69cf2a414

Detections

Analytics

RHEL-10-200643 - RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

Information

Solution

See Also

Item Details