← Back to SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

V-261409

CAT II (Medium)

SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly.

Rule ID

SV-261409r996643_rule

STIG

SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-001851

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Check Content

Verify that SLEM 5 must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly.

For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly.

For networked systems, check that syslog-ng is sending log messages to a remote server with the following command:

     > sudo egrep "^destination logserver"  /etc/syslog-ng/syslog-ng.conf
     syslog("10.10.10.10" transport("udp") port(514)); };

If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Fix Text

Configure SLEM 5 to offload syslog-ng messages for networked systems in real time.

For standalone systems establish a procedure to offload log messages at least once a week.

For networked systems add a "UDP_OR_TCP("IP_ADDRESS" port(514)); };"
"#log { source(src); destination(logserver); };" in "/etc/syslog-ng/syslog-ng.conf" that does not have one.

syslog("10.10.10.10" transport("udp") port(514)); };