← Rules Catalog
mediumloggingverified rollback-safe

Monitor all remote access methods via rsyslog

rsyslog-remote-access-monitored · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must log all remote access methods. rsyslog must record the auth, authpriv, and daemon facilities (for example to /var/log/secure) so that remote login activity is captured.

Rationale

Logging remote access methods provides the audit trail needed to detect and investigate unauthorized access attempts. Missing any of the auth, authpriv, or daemon facilities leaves a gap in remote-access monitoring.

Check → Remediate

Checkcommand
conf=$(grep -rhE '^[[:space:]]*[^#]' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null)
printf '%s\n' "$conf" | grep -qE '(^|;|[[:space:]])auth\.\*' || exit 1
printf '%s\n' "$conf" | grep -qE '(^|;|[[:space:]])authpriv\.\*' || exit 1
printf '%s\n' "$conf" | grep -qE '(^|;|[[:space:]])daemon\.\*' || exit 1
exit 0
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/rsyslog.d
file:
00-kensa-remote-access.conf
key:
auth.*;authpriv.*;daemon.*
value:
/var/log/secure
restart:
rsyslog

Framework references

STIG

V-280990 / RHEL-10-200647V-258144 / RHEL-09-652030V-230228 / RHEL-08-010070

NIST 800-53

AC-17(1)

Live verification

rhel8:check
#rsyslog#remote-access#logging#monitoring