Ensure remote access methods are monitored in Rsyslog
An XCCDF Rule
Description
Logging of remote access methods must be implemented to help identify cyber
attacks and ensure ongoing compliance with remote access policies are being
audited and upheld. An examples of a remote access method is the use of the
Remote Desktop Protocol (RDP) from an external, non-organization controlled
network. The /etc/rsyslog.conf
or
/etc/rsyslog.d/*.conf
file should contain a match for the following
selectors: auth.*
, authpriv.*
, and daemon.*
. If
not, use the following as an example configuration:
auth.*;authpriv.*;daemon.* /var/log/secure
Rationale
Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
- ID
- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: 'Ensure remote access methods are monitored in Rsyslog: Set facts'
set_fact:
conf_files:
- /etc/rsyslog.conf
remote_methods:
- selector: auth.*
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
if [[ ! -f /etc/rsyslog.conf ]]; then