SLES-15-010580 - The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.

Information

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time.

For stand-alone systems establish a procedure to off-load log messages at least once a week.

For networked systems add a '@[Log_Server_IP_Address]' option to every active message label in '/etc/rsyslog.conf' that does not have one. Some examples are listed below:

*.*;mail.none;news.none -/var/log/messages
*.*;mail.none;news.none @192.168.1.101:514

An additional option is to capture all of the log messages and send them to a remote log host:

*.* @@loghost:514

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_15_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-234865r959008_rule, STIG-ID|SLES-15-010580, Vuln-ID|V-234865

Plugin: Unix

Control ID: a5ab1ad7f5f0c78400bdd4ab277c5857318197058347daf1d773ec57a65b3a0b