4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts

Information

By default, syslog-ng does not listen for log messages coming in from remote systems. The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location.

NOTE: Syslog-NG was not found to be installed.

Solution

On designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and configure the following lines are appropriately: source net{ tcp(); };destination remote { file("/var/log/remote/${FULLHOST}-log"); };log { source(net); destination(remote); }; On non designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and remove or edit any sources that accept network sourced log messages. Run the following command to restart syslog-ng: # pkill -HUP syslog-ng

See Also

https://workbench.cisecurity.org/files/1866

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CSCv6|9.1

Plugin: Unix

Control ID: dc02ef1bf7763ceaba859a5cabff8bcdb26d9b3947db1dd94120ee3fb2320596