Title

Ubuntu OS must be configured to preserve log records from failure events. (Cat II impact)

Discussion

Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.

Check Content

Verify the log service is installed properly by using the following command: $ dpkg -l | grep rsyslog ii rsyslog 8.2112.0-2ubuntu2.2 amd64 reliable system and kernel logging daemon If the "rsyslog" package is not installed, this is a finding. Check that the log service is enabled and active by using the following commands: $ systemctl is-enabled rsyslog.service enabled $ systemctl is-active rsyslog.service active If "rsyslog.service" is not enabled and active, this is a finding.

Fix Text

Install the log service by using the following command: $ sudo apt-get install rsyslog Enable and activate the log service by using the following command: $ sudo systemctl enable rsyslog.service --now

Additional Identifiers

Rule ID: SV-275675r1148075_rule

Vulnerability ID: V-275675

Group Title: SRG-OS-000269-GPOS-00103

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.