4.2.3.5 Ensure remote syslog-ng messages are only accepted on designated log hosts

Information

By default, syslog-ng does not listen for log messages coming in from remote systems.

Rationale:

The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location.

Solution

On designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and configure the following lines are appropriately:

source net{ tcp(); };
destination remote { file('/var/log/remote/${FULLHOST}-log'); };
log { source(net); destination(remote); };

On non designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and remove or edit any sources that accept network sourced log messages.
Run the following command to reload the syslog-ng configuration:

# pkill -HUP syslog-ng

References:

See the syslog-ng(8) man page for more information.

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CSCv7|6.5

Plugin: Unix

Control ID: 4f627b6682fe52d10b3b2ae5f7c4ecdf4ca8bc7d83796a3f42869ae756423ae6