centos7:4:2:1:2

4.2.1.2 Ensure logging is configured (Not Scored)

Profile Applicability

Level 1 - Server 
Level 1 - Workstation

Description

The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages.

Rationale

A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Audit

Review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. In addition, run the following command and verify that the log files are logging information: 

# ls -l /var/log/

Remediation

Edit the following lines in the /etc/rsyslog.conf file as appropriate for your environment: 

*.emerg                  :omusrmsg:* 
mail.*                  -/var/log/mail 
mail.info               -/var/log/mail.info 
mail.warning            -/var/log/mail.warn 
mail.err                 /var/log/mail.err 
news.crit               -/var/log/news/news.crit 
news.err                -/var/log/news/news.err 
news.notice             -/var/log/news/news.notice 
*.=warning;*.=err       -/var/log/warn 
*.crit                   /var/log/warn 
*.*;mail.none;news.none -/var/log/messages 
local0,local1.*         -/var/log/localmessages 
local2,local3.*         -/var/log/localmessages 
local4,local5.*         -/var/log/localmessages 
local6,local7.*         -/var/log/localmessages

Run the following command to restart rsyslogd: 

# pkill -HUP rsyslogd

References

See the rsyslog.conf(5) man page for more information.

  • centos7/4/2/1/2.txt
  • Last modified: 2017/05/04 18:18
  • by Piotr Kłoczewski