STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Ubuntu operating system must be configured to preserve log records from failure events.

DISA Rule

SV-219160r610963_rule

Vulnerability Number

V-219160

Group Title

SRG-OS-000269-GPOS-00103

Rule Version

UBTU-18-010022

Severity

CAT II

CCI(s)

• CCI-001665 - The information system preserves organization-defined system state information in the event of a system failure.

Weight

10

Fix Recommendation

Configure the log service to collect failure events.

Install the log service (if the log service is not already installed) with the following command:

# sudo apt-get install rsyslog

Enable the log service with the following command:

# sudo systemctl enable rsyslog

Restart the log service with the following command:

# sudo systemctl restart rsyslog

Check Contents

Verify the log service is configured to collect system failure events.

Check that the log service is installed properly with the following command:

# dpkg -l | grep rsyslog

ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon

If the "rsyslog" package is not installed, this is a finding.

Check that the log service is enabled with the following command:

# sudo systemctl is-enabled rsyslog

enabled

If the command above returns "disabled", this is a finding.

Check that the log service is properly running and active on the system with the following command:

# systemctl is-active rsyslog

active

If the command above returns "inactive", this is a finding.

Vulnerability Number

V-219160

Documentable

False

Rule Version

UBTU-18-010022

Severity Override Guidance

Verify the log service is configured to collect system failure events.

Check that the log service is installed properly with the following command:

# dpkg -l | grep rsyslog

ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon

If the "rsyslog" package is not installed, this is a finding.

Check that the log service is enabled with the following command:

# sudo systemctl is-enabled rsyslog

enabled

If the command above returns "disabled", this is a finding.

Check that the log service is properly running and active on the system with the following command:

# systemctl is-active rsyslog

active

If the command above returns "inactive", this is a finding.

Check Content Reference

M

Target Key

4055

Comments