4.2.2.2 Ensure logging is configured (Not Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The /etc/syslog-ng/syslog-ng.conf
file specifies rules for logging and which files are to be used to log certain classes of messages.
Rationale
A great deal of important security-related information is sent via syslog-ng
(e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).
Audit
Review the contents of the /etc/syslog-ng/syslog-ng.conf
file to ensure appropriate logging is set. In addition, run the following command and ensure that the log files are logging information:
# ls -l /var/log/
Remediation
Edit the log lines in the /etc/syslog-ng/syslog-ng.conf
file as appropriate for your environment:
log { source(src); source(chroots); filter(f_console); destination(console); }; log { source(src); source(chroots); filter(f_console); destination(xconsole); }; log { source(src); source(chroots); filter(f_newscrit); destination(newscrit); }; log { source(src); source(chroots); filter(f_newserr); destination(newserr); }; log { source(src); source(chroots); filter(f_newsnotice); destination(newsnotice); }; log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); }; log { source(src); source(chroots); filter(f_mailwarn); destination(mailwarn); }; log { source(src); source(chroots); filter(f_mailerr); destination(mailerr); }; log { source(src); source(chroots); filter(f_mail); destination(mail); }; log { source(src); source(chroots); filter(f_acpid); destination(acpid); flags(final); }; log { source(src); source(chroots); filter(f_acpid_full); destination(devnull); flags(final); }; log { source(src); source(chroots); filter(f_acpid_old); destination(acpid); flags(final); }; log { source(src); source(chroots); filter(f_netmgm); destination(netmgm); flags(final); }; log { source(src); source(chroots); filter(f_local); destination(localmessages); }; log { source(src); source(chroots); filter(f_messages); destination(messages); }; log { source(src); source(chroots); filter(f_iptables); destination(firewall); }; log { source(src); source(chroots); filter(f_warn); destination(warn); };
Run the following command to restart syslog-ng
:
# pkill -HUP syslog-ng
References
See the syslog-ng
man page for more information.