Title

Amazon Linux 2023 must have the rsyslog package installed. (Cat II impact)

Discussion

Successful incident response and auditing relies on timely, accurate system information and analysis allow the organization to identify and respond to potential incidents in a proficient manner. If Amazon Linux 2023 does not provide the ability to centrally review Amazon Linux 2023 logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. To support the centralized capability, Amazon Linux 2023 must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000479-GPOS-00224

Check Content

Verify Amazon Linux 2023 is configured to collect system failure events with the following command: $ dnf list --installed rsyslog Installed Packages rsyslog.x86_64 8.2204.0-3.amzn2023.0.4 @amazonlinux If the "rsyslog" package is not installed, this is a finding. Check that the log service is enabled with the following command: $ dnf list --installed vsftpd Error: No matching Packages to list If the command above returns "disabled", this is a finding.

Fix Text

Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: $ sudo dnf install -y rsyslog Enable the log service with the following command: $ sudo systemctl enable --now rsyslog

Additional Identifiers

Rule ID: SV-274020r1120048_rule

Vulnerability ID: V-274020

Group Title: SRG-OS-000051-GPOS-00024

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.