3.4 Enable remote logging for Desktops on trusted networks

Information

A log is a file that records the events that occur while an operating system and/or software is running. The built-in syslog capability in OS X runs over UDP without encryption. Broadcasting log unencrypted over the internet is not a good idea. While syslog may be acceptable on some internal trusted networks it is not a solution for mobile devices that hop between networks. Solutions for logging might include: An encrypted tunnel that auto reconnects for each new network the laptop joins A third party logging daemon that encrypts the log transmission A local store and forward script that bundles the logs and sends periodically through an encrypted transmission (ssh) or when the device is connected to a trusted network In addition to local logging, remote logging can be enabled for internal computers on trusted networks. Local logs can be altered if the computer is compromised. Remote logging mitigates the risk of having the logs altered.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following to implement the prescribed state: Run the following command in Terminal: sudo pico /etc/syslog.conf Add the following line to the top of the file, replacing "your.log.server" with the name or IP address of the log server, and keeping all other lines intact. *.* @your.log.server Exit, saving changes. Reboot the system.

See Also

https://workbench.cisecurity.org/files/299

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: d7ad27357555b30643d5690d5af7e23492377ad6c9c6f9394d0b11277ad78875