4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
By default, syslog-ng
does not listen for log messages coming in from remote systems.
Rationale
The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng
data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng
messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location.
Audit
Review the /etc/syslog-ng/syslog-ng.conf
file and verify the following lines are configured appropriately on designated log hosts:
source net{ tcp(); }; destination remote { file("/var/log/remote/${FULLHOST}-log"); }; log { source(net); destination(remote); };
Remediation
On designated log hosts edit the /etc/syslog-ng/syslog-ng.conf
file and configure the following lines are appropriately:
source net{ tcp(); }; destination remote { file("/var/log/remote/${FULLHOST}-log"); }; log { source(net); destination(remote); };
On non designated log hosts edit the /etc/syslog-ng/syslog-ng.conf
file and remove or edit any sources that accept network sourced log messages.
Run the following command to restart syslog-ng
:
# pkill -HUP syslog-ng
References
See the rsyslog(8)
man page for more information.