Ensure remote access methods are monitored in Rsyslog

An XCCDF Rule

Description

Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote access method is the use of the Remote Desktop Protocol (RDP) from an external, non-organization controlled network. The /etc/rsyslog.conf or /etc/rsyslog.d/*.conf file should contain a match for the following selectors: auth.*, authpriv.*, and daemon.*. If not, use the following as an example configuration:

auth.*;authpriv.*;daemon.*                              /var/log/secure

Rationale

Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.

ID: xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
Severity: Medium
References: CCI-000067

AC-17(1)

SRG-OS-000032-GPOS-00013
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ ! -f /etc/rsyslog.d/50-default.conf ]; then
    # Something is not right, create the file
    touch /etc/rsyslog.d/50-default.conffi

# Check to see if auth exists
if ! grep -Erq "^auth\.\*,authpriv\.\*" /etc/rsyslog.*; then
    echo "auth.*,authpriv.* /var/log/secure" >> /etc/rsyslog.d/50-default.conf
fi

if ! grep -Erq "^daemon\.\*" /etc/rsyslog.*; then
    echo "daemon.* /var/log/messages" >> /etc/rsyslog.d/50-default.conf
fi

systemctl restart rsyslog.service

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Ensure remote access methods are monitored in Rsyslog - Set Facts
  ansible.builtin.set_fact:
    conf_files:
    - /etc/rsyslog.d/50-default.conf
    remote_methods:
    - selector: auth.*      regexp: ^.*auth\.\*.*$
      log_path_name: secure
    - selector: authpriv.*
      regexp: ^.*authpriv\.\*.*$
      log_path_name: secure
    - selector: daemon.*
      regexp: ^.*daemon\.\*.*$
      log_path_name: messages
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-17(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_access_monitoring

- name: Ensure remote access methods are monitored in Rsyslog - Ensure /etc/rsyslog.d/50-default.conf
    Exists
  ansible.builtin.file:
    path: '{{ conf_files.0 }}'
    state: touch
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-17(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_access_monitoring

- name: Ensure remote access methods are monitored in Rsyslog - Check for Existing
    Values in Conf Files
  ansible.builtin.lineinfile:
    path: '{{ item.1 }}'
    regexp: '{{ item.0.regexp }}'
    state: absent
  check_mode: true
  changed_when: false
  register: remote_method_values
  loop: '{{ remote_methods|product(conf_files)|list }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AC-17(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_access_monitoring

- name: Ensure remote access methods are monitored in Rsyslog - Configure /etc/rsyslog.d/50-default.conf
    With Proper Log Paths
  ansible.builtin.lineinfile:
    path: /etc/rsyslog.d/50-default.conf
    line: '{{ item.item.0.selector }} /var/log/{{ item.item.0.log_path_name }}'
    insertafter: ^.*\/var\/log\/secure.*$
    create: true
  loop: '{{ remote_method_values.results }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - item.found == 0
  tags:
  - NIST-800-53-AC-17(1)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_access_monitoring

Ensure remote access methods are monitored in Rsyslog

Description

Rationale

Remediation - Shell Script

Remediation - Ansible