progress snapshot

2026-01-21 08:33:09 -05:00
parent 6c96f3c549
commit 1339705f9d
20 changed files with 3387 additions and 46 deletions
--- a/config/50-cis-logging.conf
+++ b/config/50-cis-logging.conf
@@ -0,0 +1,102 @@
+# CIS Debian 13 Benchmark - Security Logging Configuration
+# Implements CIS recommendations for enhanced security logging
+
+# Enhanced authorization logging
+auth,authpriv.*                    /var/log/security/auth.log
+auth,authpriv.*                    @@remoteserver:514
+
+# System logs with security tag
+*.=info;*.=notice;*.=warn;\
+        auth,authpriv.none;\
+        cron,daemon.none;\
+        mail,news.none          /var/log/security/messages
+
+# Kernel messages
+kern.*                             /var/log/security/kern.log
+
+# Security events
+security.*                         /var/log/security/security.log
+
+# Audit events (from auditd)
+audit.*                            /var/log/security/audit.log
+
+# User login/logout logs
+login.*                            /var/log/security/login.log
+
+# Sudo commands
+local2.*                           /var/log/security/sudo.log
+
+# Failed logins
+authpriv.*;auth.*                  /var/log/security/failed.log
+
+# Application specific logs
+mail.*                             -/var/log/security/mail.log
+cron.*                             /var/log/security/cron.log
+daemon.*                           /var/log/security/daemon.log
+
+# Network logs
+network.*                          /var/log/security/network.log
+
+# Security alerts
+*.alert                            /var/log/security/alerts.log
+*.emerg                            :omusrmsg:*
+*.=emerg                           :omusrmsg:*
+
+# Console logging
+*.=crit;*.=err;*.=warning          |/dev/xconsole
+
+# Remote logging to security team (if configured)
+# *.* @@logserver.domain.tld:514
+
+# Filter duplicate messages
+$RepeatedMsgReduction on
+
+# Set default permissions for log files
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0027
+
+# Ensure all logs include timestamp and hostname
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# Rate limiting to prevent log flooding
+$SystemLogRateLimitInterval 60
+$SystemLogRateLimitBurst 1000
+
+# Discard duplicate messages within 30 seconds
+$RepeatedMsgReductionInterval 30
+
+# Include additional configuration files
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+# Preserve security log integrity
+:msg, contains, "security"        /var/log/security/security.log
+:msg, contains, "failed login"    /var/log/security/failed.log
+:msg, contains, "sudo"            /var/log/security/sudo.log
+:msg, contains, "audit"           /var/log/security/audit.log
+
+# Create separate logs for different security domains
+$RuleSet remote
+:fromhost-ip, !isequal, "127.0.0.1"       ?RemoteLogs
+& ~
+
+# Enable journald to rsyslog forwarding
+$ModLoad imjournal
+$OmitLocalLogging on
+
+# Preserve FQDN in logs
+$PreserveFQDN on
+
+# Add process ID to all log entries
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# Ensure backward compatibility
+$ModLoad compat
+
+# Queue settings for reliability
+$WorkDirectory /var/spool/rsyslog
+$ActionQueueFileName fwdRule1
+$ActionQueueMaxDiskSpace 1g
+$ActionQueueSaveOnShutdown on
+$ActionQueueType LinkedList
+$ActionResumeRetryCount -1