5.1.1 Configure /etc/syslog.conf - auth,user

Information

The /etc/syslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages.

Rationale:

A great deal of important security-related information is sent via syslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the following lines in the /etc/syslog.conf file as appropriate for your environment:

auth,user.* /var/log/messages
kern.* /var/log/kern.log
daemon.* /var/log/daemon.log
syslog.* /var/log/syslog
lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log

Execute the following command to restart syslogd:

# pkill -HUP syslogd

Default Value:

OS Default: N/A

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|6.3

Plugin: Unix

Control ID: 8a021e6f2d7a94c14574f6f107c67e931f3f74bb84b6f4aa61cbe8de9117ced6