SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-261409 | SRG-OS-000479-GPOS-00224 | SLEM-05-652010 | SV-261409r996643_rule | 2024-06-04 | 1 |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. |
| ℹ️ Check |
|---|
| Verify that SLEM 5 must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly. For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly. For networked systems, check that syslog-ng is sending log messages to a remote server with the following command: > sudo egrep "^destination logserver" /etc/syslog-ng/syslog-ng.conf syslog("10.10.10.10" transport("udp") port(514)); }; If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding. |
| ✔️ Fix |
|---|
| Configure SLEM 5 to offload syslog-ng messages for networked systems in real time. For standalone systems establish a procedure to offload log messages at least once a week. For networked systems add a "UDP_OR_TCP("IP_ADDRESS" port(514)); };" "#log { source(src); destination(logserver); };" in "/etc/syslog-ng/syslog-ng.conf" that does not have one. syslog("10.10.10.10" transport("udp") port(514)); }; |