STIGQter STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 24 Jan 2020: The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.

DISA Rule

SV-92179r1_rule

Vulnerability Number

V-77483

Group Title

SRG-OS-000479-GPOS-00224

Rule Version

SLES-12-030340

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time.

For stand-alone systems establish a procedure to off-load log messages at least once a week.

For networked systems add a "@[Log_Server_IP_Address]" option to every active message label in "/etc/rsyslog.conf" that does not have one. Some examples are listed below:

*.*;mail.none;news.none -/var/log/messages
*.*;mail.none;news.none @192.168.1.101:514

An additional option is to capture all of the log messages and send them to a remote log host:

*.* @@loghost:514

Check Contents

Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.

For stand-alone hosts, verify with the System Administrator that the log files are off-loaded at least weekly.

For networked systems, check that rsyslog is sending log messages to a remote server with the following command:

# sudo grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#"

*.*;mail.none;news.none @192.168.1.101:514

If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Vulnerability Number

V-77483

Documentable

False

Rule Version

SLES-12-030340

Severity Override Guidance

Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.

For stand-alone hosts, verify with the System Administrator that the log files are off-loaded at least weekly.

For networked systems, check that rsyslog is sending log messages to a remote server with the following command:

# sudo grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#"

*.*;mail.none;news.none @192.168.1.101:514

If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Check Content Reference

M

Target Key

2903

Comments