6.1.1 Configuring syslog - local logging - /var/adm/syslog

Information

This recommendation implements a local syslog configuration.

Rationale:

Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.

Impact:

This recommendation is manual because there are likely local requirements that surpass the basic recommendation here.

Solution

Explicitly define a log file for the auth.info output in /etc/syslog.conf:

printf 'auth.infott/var/adm/authlog rotate time 1w files 4
' >> /etc/syslog.conf

NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:

touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog

Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:

printf '*.info;auth.nonet/var/adm/syslog rotate time 1w files 4
' >> /etc/syslog.conf

Create the syslog file:

touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog

Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:

refresh -s syslogd

Default Value:

Not configured

Additional Information:

Reversion:

Edit /etc/syslog.conf and remove the authlog and syslog entries:

vi /etc/syslog.conf

Remove:

auth.info /var/adm/authlog rotate time 1w files 4

*.info;auth.none /var/adm/syslog rotate time 1w files 4

Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:

refresh -s syslogd

Delete the authlog and syslog files:

rm /var/adm/authlog /var/adm/syslog

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 5d2406ead71adaf3a7374f94a1891ca987e216fb129b2527e9674b1971fb3da1