Title

Sun Ray server does not send logs to syslog server. (Cat III impact)

Discussion

Remote logging is essential in monitoring servers and detecting intrusion. If an intruder is able to obtain root on a host, they may be able to edit the system logs to remove all traces of the attack. If the logs are stored off the machine, they can be analyzed for suspicious activity and used for prosecuting the attacker. Centralized log monitoring and storage is a critical component of incident response and assuring the integrity of system logs.

Check Content

On the Sun Ray server, examine the /etc/syslog.conf file. To send all syslog data from the Sun Ray server to a remote syslog host, search for the following line(s) in the /etc/syslog.conf file: *.*<Tab><Tab> @loghost (name of remote host) OR *.debug, info, …@loghost At a minimum, the following two log files must be configured to send their logs to a remote syslog server: Log Name Facility Level Default Location messages user.info /var/opt/SUNWut/log/messages admin_log local1.info /var/opt/SUNWut/log/admin_log Verify the loghost referred to in the syslog.conf file is not resolving to the localhost. Check /etc/hosts file to review what the remote host is referring to. If it is not in this file, check the DNS server to determine what it is resolving to. If it is resolving to localhost, this is a finding.

Fix Text

Configure the Sun Ray server to send its logs to a remote syslog server.

Additional Identifiers

Rule ID:

Vulnerability ID: V-16393

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.