4.1.1.3 Ensure logging is configured

Information

For an image using stackdriver, the /etc/stackdriver/logging.config.d/*.conf files specifies rules for logging and which files are to be used to log certain classes of messages. An image using fluent-bit uses /usr/share/fluent-bit/fluent-bit.conf for the same purpose.

A great deal of important security-related information is sent via logging (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Edit the contents of /etc/stackdriver/logging.config.d/*.conf if using an image with stackdriver or /usr/share/fluent-bit/fluent-bit.conf if using an image with fluent-bit as appropriate for your environment.Then run the following commands to reload the logging configuration:

For stackdriver-logging:

# systemctl restart stackdriver-logging

For fluent-bit:

# systemctl restart fluent-bit

/etc is stateless on Container-Optimized OS. Therefore, /etc cannot be used to make these changes persistent across reboots. The steps mentioned above need to be performed after every boot for images using stackdriver. This is not the case for fluent-bit as the logging agent is in /usr/share/ which isn't stateless so changes will be persistent across reboots.

See Also

https://workbench.cisecurity.org/benchmarks/12218