4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
By default, rsyslog
does not listen for log messages coming in from remote systems. The ModLoad
tells rsyslog
to load the imtcp.so
module so it can listen over a network via TCP. The InputTCPServerRun
option instructs rsyslogd
to listen on the specified TCP port.
Rationale
The guidance in the section ensures that remote log hosts are configured to only accept rsyslog
data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog
messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog
data in a central location.
Audit
Run the following commands and verify the resulting lines are uncommented on designated log hosts and commented or removed on all others:
# grep '$ModLoad imtcp.so' /etc/rsyslog.conf $ModLoad imtcp.so # grep '$InputTCPServerRun' /etc/rsyslog.conf $InputTCPServerRun 514
Remediation
For hosts that are designated as log hosts, edit the /etc/rsyslog.conf
file and un-comment or add the following lines:
$ModLoad imtcp.so $InputTCPServerRun 514
For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf
file and comment or remove the following lines:
# $ModLoad imtcp.so # $InputTCPServerRun 514
Run the following command to restart rsyslogd
:
# pkill -HUP rsyslogd
References
See the rsyslog(8)
man page for more information.