{"description": "The <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt> files\nspecifies rules for logging and which files are to be used to log certain\nclasses of messages.", "rationale": "A great deal of important security-related information is sent via\nrsyslog (e.g., successful and failed su attempts, failed login attempts,\nroot login attempts, etc.).", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no logging is configured", "ocil": "Review the contents of the <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt>\nfiles to ensure appropriate logging is set. In addition, run the following command:\n<pre>ls -l /var/log/</pre>\nand verify that the log files are logging information", "oval_external_content": null, "fixtext": "Configure logging with selectors covering each priority. An example log configuration can be\nthe following content of <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt> files:\n<pre>\n*.emerg                        :omusrmsg:*\nauth,authpriv.*                /var/log/secure\nmail.*                         -/var/log/mail\nmail.info                      -/var/log/mail.info\nmail.warning                   -/var/log/mail.warn\nmail.err                       /var/log/mail.err\nnews.crit                      -/var/log/news/news.crit\nnews.err                       -/var/log/news/news.err\nnews.notice                    -/var/log/news/news.notice\n*.=warning;*.=err              -/var/log/warn\n*.crit                         /var/log/warn\n*.*;mail.none;news.none        -/var/log/messages\nlocal0,local1.*                -/var/log/localmessages\nlocal2,local3.*                -/var/log/localmessages\nlocal4,local5.*                -/var/log/localmessages\nlocal6,local7.*                -/var/log/localmessages\n</pre>\nTo apply new settings use command:\n<pre>systemctl restart rsyslog </pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule does not come with remediation as there is no one way to solve the problem, and\nthe requirement from CIS specification does not require one particular way, but persuades\nthe system administrator to perform configuration suitable for the specific environment.\nThis also means that the OVAL check is too generic, and the user most probably should\nperform additional manual verification."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[rsyslog]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_rsyslog"], "bash_conditional": null, "fixes": {}, "title": "Ensure logging is configured", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml", "template": null}