{"description": "Logging of remote access methods must be implemented to help identify cyber\nattacks and ensure ongoing compliance with remote access policies are being\naudited and upheld. An examples of a remote access method is the use of the\nRemote Desktop Protocol (RDP) from an external, non-organization controlled\nnetwork. The <tt>/etc/rsyslog.d/50-default.conf</tt> file should contain a match for the following\nselectors: <tt>auth.*</tt>, <tt>authpriv.*</tt>, and <tt>daemon.*</tt>. If\nnot, use the following as an example configuration:\n<code>\n    auth.*;authpriv.*                              /var/log/secure\n    daemon.*                                       /var/log/messages\n</code>", "rationale": "Logging remote access methods can be used to trace the decrease the risks\nassociated with remote user access management. It can also be used to spot\ncyber attacks and ensure ongoing compliance with organizational policies\nsurrounding the use of remote access methods.", "severity": "medium", "references": {"nist": ["AC-17(1)"], "srg": ["SRG-OS-000032-GPOS-00013"], "stigid": ["UBTU-22-652015"], "stigref": ["SV-260589r958406_rule"]}, "control_references": {"stigid": ["UBTU-22-652015"]}, "components": [], "identifiers": {}, "ocil_clause": "remote access methods are not logging to rsyslog", "ocil": "To verify that <tt>remote access methods</tt> are logging to <tt>rsyslog</tt>,\nrun the following command:\n\n<pre>grep -rE '^(auth\\.\\*,authpriv\\.\\*|daemon\\.\\*)' /etc/rsyslog.*</pre>\n\nThe output should contain <tt>auth.*</tt>, <tt>authpriv.*</tt>, and <tt>daemon.*</tt>\npointing to a log file.", "oval_external_content": null, "fixtext": "\nadd or update the following lines to the \"/etc/rsyslog.d/50-default.conf\" file:\n\nauth.*,authpriv.* /var/log/secure\ndaemon.* /var/log/messages\n\n\nThe \"rsyslog\" service must be restarted for the changes to take effect. To restart the \"rsyslog\" service, run the following command:\n\n$ sudo systemctl restart rsyslog.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "All Ubuntu 22.04 remote access methods must be monitored.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "All Ubuntu 22.04 remote access methods must be monitored.", "vuldiscussion": "Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.", "checktext": "Verify that Ubuntu 22.04 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ grep -rE '(auth.\\*|authpriv.\\*|daemon.\\*)' /etc/rsyslog.conf /etc/rsyslog.d/\n\n/etc/rsyslog.conf:authpriv.*\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.", "fixtext": "Add or update the following lines to the \"/etc/rsyslog.conf\" file or a file in \"/etc/rsyslog.d\":\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nThe \"rsyslog\" service must be restarted for the changes to take effect with the following command:\n\n$ sudo systemctl restart rsyslog.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[rsyslog]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_rsyslog"], "bash_conditional": null, "fixes": {}, "title": "Ensure remote access methods are monitored in Rsyslog", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml", "template": null}