8.1.3 Configuring syslog - remote messages

Information

This recommendation prevents the local syslogd daemon from accepting messages from other hosts on the network.

Rationale:

Apart from a central syslog server, all other hosts should not accept remote syslog messages. By default the syslogd daemon accepts all remote syslog messages as no authentication is required. This means that a hacker could flood a server with syslog messages and potentially fill up the /var filesystem.

Solution

If the server does not act as a central syslog server, suppress the logging of messages originating from remote servers:

chssys -s syslogd -a '-r'

Re-cycle syslogd to activate the configuration change:

stopsrc -s syslogd
startsrc -s syslogd

Default Value:

Not configured

Additional Information:

Reversion:

Remove the suppression of remote syslog messages:

chssys -s syslogd -a ''

Re-cycle syslogd to activate the configuration change:

stopsrc -s syslogd

startsrc -s syslogd

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2)

Plugin: Unix

Control ID: c382d78d374353cb457e0bb67698f9fe086004cd3b757d347d1c4b08635eda2c