Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
An XCCDF Rule
Description
The rsyslog daemon should not accept remote messages unless the system acts as a log
server. To ensure that it is not listening on the network, ensure any of the following lines
are not found in rsyslog configuration files.
If using legacy syntax:
$ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun portIf using RainerScript syntax:
module(load="imtcp") module(load="imudp") input(type="imtcp" port="514") input(type="imudp" port="514")
Rationale
Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.
- ID
- xccdf_org.ssgproject.content_rule_rsyslog_nolisten
- Severity
- Medium
- References
-
A.10.1.1
A.11.1.4
A.11.1.5
A.11.2.1
A.12.1.1
A.12.1.2
A.12.4.1
A.12.4.2
A.12.4.3
A.12.4.4
A.12.5.1
A.12.6.2
A.12.7.1
A.13.1.1
A.13.1.2
A.13.1.3
A.13.2.1
A.13.2.2
A.13.2.3
A.13.2.4
A.14.1.2
A.14.1.3
A.14.2.2
A.14.2.3
A.14.2.4
A.6.1.2
A.7.1.1
A.7.1.2
A.7.3.1
A.8.2.2
A.8.2.3
A.9.1.1
A.9.1.2
A.9.2.3
A.9.4.1
A.9.4.4
A.9.4.5
- Updated
Remediation - Ansible
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Define Rsyslog Config Lines Regex in Legacy Syntax
ansible.builtin.set_fact:
rsyslog_listen_legacy_regex: ^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))'
rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$'