8.1.2 Configuring syslog - remote logging

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This recommendation implements a remote syslog configuration.

Rationale:

To further enhance the local syslog logging process CIS recommends that syslog information, in particular that generated by the auth facility, is logged remotely. This recommendation assumes that a remote and secure syslog server is available on the network. If this is not the case, please skip to the next recommendation.

The primary reason for logging remotely is to provide an un-editable audit trail of system access. If a hacker were to access a system and gain super user authority it would be easy to edit local files and remove all traces of access, providing the system administrator with no way of identifying the individual or group responsible. If the log data is sent remotely at the point of access, these remote logs can then be reconciled with local data to identify tampered and altered files. The logs can also be used as evidence in any subsequent prosecution.

Solution

Explicitly define a remote host for auth.info data in /etc/syslog.conf (enter the remote host IP address in the example below):

printf 'auth.infott@<IP address of remote syslog server>' >> /etc/syslog.conf

NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create a remote host entry in /etc/syslog.conf to capture all other output of level info or higher (enter the remote host IP address in the example below):

printf '*.info;auth.nonet@<IP address of remote syslog server>
' >> /etc/syslog.conf

Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:

refresh -s syslogd

Default Value:

Not configured

Additional Information:

IBM POWER Systems can supply an additional security mechanism named Trusted Logging in it's PowerSC package.

This product writes logs to storage on a VIOS (Virtual I/O Server) without any need for an active/open IP path.

Since it is an additional product - we consider using Trusted Logging as Level 2, IG2 whereas remote syslog may be considered Level 1.

See Also

https://workbench.cisecurity.org/benchmarks/7851