Title

Remote logging must be enabled. (Cat II impact)

Discussion

In addition to local logging, remote logging must also be enabled. Local logs can be altered if the computer is compromised. Remote logging mitigates the risk of having the logs altered.

Check Content

Open a terminal session and enter the following command. more /etc/syslog.conf Ensure the name or IP address of the site's log server is listed as "your.log.server". If the name or IP address of the log server is not listed, this is a finding.

Fix Text

Open a terminal session and enter the following command. sudo pico /etc/syslog.conf Add the following line to the top of the file, replacing "your.log.server" with the name or IP address of the log server, and keeping all other lines intact. *.* @your.log.server Exit, saving changes. Reboot the system.

Additional Identifiers

Rule ID: SV-38523r1_rule

Vulnerability ID: V-25271

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.