8.1.1 Configuring syslog - local logging

Information

This recommendation implements a local syslog configuration.

Rationale:

Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.

Impact:

This recommendation is manual because there are likely local requirements that surpass the basic recommendation here.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Explicitly define a log file for the auth.info output in /etc/syslog.conf:

printf 'auth.infott/var/adm/authlog rotate time 1w files 4
' >> /etc/syslog.conf

NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:

touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog

Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:

printf '*.info;auth.nonet/var/adm/syslog rotate time 1w files 4
' >> /etc/syslog.conf

Create the syslog file:

touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog

Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:

refresh -s syslogd

Default Value:

Not configured

Additional Information:

Reversion:

Edit /etc/syslog.conf and remove the authlog and syslog entries:

vi /etc/syslog.conf

Remove:

auth.info /var/adm/authlog rotate time 1w files 4

*.info;auth.none /var/adm/syslog rotate time 1w files 4

Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:

refresh -s syslogd

Delete the authlog and syslog files:

rm /var/adm/authlog /var/adm/syslog

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2)

Plugin: Unix

Control ID: de0e6ddb2be3a70a9bded644cc933aebb713011fa25acd1c8e83a16052ce4175