mediumloggingverified ✓rollback-safe
Monitor all remote access methods via rsyslog
rsyslog-remote-access-monitored · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must log all remote access methods. rsyslog must record the auth, authpriv, and daemon facilities (for example to /var/log/secure) so that remote login activity is captured.
Rationale
Logging remote access methods provides the audit trail needed to detect and investigate unauthorized access attempts. Missing any of the auth, authpriv, or daemon facilities leaves a gap in remote-access monitoring.
Check → Remediate
Checkcommand
conf=$(grep -rhE '^[[:space:]]*[^#]' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null) printf '%s\n' "$conf" | grep -qE '(^|;|[[:space:]])auth\.\*' || exit 1 printf '%s\n' "$conf" | grep -qE '(^|;|[[:space:]])authpriv\.\*' || exit 1 printf '%s\n' "$conf" | grep -qE '(^|;|[[:space:]])daemon\.\*' || exit 1 exit 0
- expected_exit:
- 0
Remediateconfig_set_dropin
- dir:
- /etc/rsyslog.d
- file:
- 00-kensa-remote-access.conf
- key:
- auth.*;authpriv.*;daemon.*
- value:
- /var/log/secure
- restart:
- rsyslog
Framework references
STIG
V-280990 / RHEL-10-200647V-258144 / RHEL-09-652030V-230228 / RHEL-08-010070
NIST 800-53
AC-17(1)
Live verification
rhel8:check
#rsyslog#remote-access#logging#monitoring