6.1.3.5 Ensure rsyslog logging is configured

Information

The rsyslog and configuration files specifies rules for logging and which files are to be used to log certain classes of messages.

A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the following lines in the configuration file(s) returned by the audit as appropriate for your environment.

Note: The below configuration is shown for example purposes only. Due care should be given to how the organization wishes to store log data.

*.emerg :omusrmsg:*
auth,authpriv.* /var/log/secure
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
cron.* /var/log/cron
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages

Run the following command to reload the rsyslogd configuration:

# systemctl reload-or-restart rsyslog

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: 0591a31031559537b20dc868cfeeda3539635bf857e80d0574d7dc02f2a36b98