The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.

STIG ID: SLES-12-030340  |  SRG: SRG-OS-000479-GPOS-00224 |  Severity: medium |  CCI: CCI-001851 |  Vulnerability Id: V-217285 | 

Vulnerability Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Check

Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.

For stand-alone hosts, verify with the System Administrator that the log files are off-loaded at least weekly.

For networked systems, check that rsyslog is sending log messages to a remote server with the following command:

# sudo grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#"

*.*;mail.none;news.none @192.168.1.101:514

If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Fix

Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time.

For stand-alone systems establish a procedure to off-load log messages at least once a week.

For networked systems add a "@[Log_Server_IP_Address]" option to every active message label in "/etc/rsyslog.conf" that does not have one. Some examples are listed below:

*.*;mail.none;news.none -/var/log/messages
*.*;mail.none;news.none @192.168.1.101:514

An additional option is to capture all of the log messages and send them to a remote log host:

*.* @@loghost:514
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.