Title

SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Check Content

Verify that SLEM 5 must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly. For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly. For networked systems, check that syslog-ng is sending log messages to a remote server with the following command: > sudo egrep "^destination logserver" /etc/syslog-ng/syslog-ng.conf syslog("10.10.10.10" transport("udp") port(514)); }; If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Fix Text

Configure SLEM 5 to offload syslog-ng messages for networked systems in real time. For standalone systems establish a procedure to offload log messages at least once a week. For networked systems add a "UDP_OR_TCP("IP_ADDRESS" port(514)); };" "#log { source(src); destination(logserver); };" in "/etc/syslog-ng/syslog-ng.conf" that does not have one. syslog("10.10.10.10" transport("udp") port(514)); };

Additional Identifiers

Rule ID: SV-261409r996643_rule

Vulnerability ID: V-261409

Group Title: SRG-OS-000479-GPOS-00224

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.