KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
football/chroot-overlay/etc/rsyslog.d/50-cis-logging.conf
Charles N Wyble d9eb08c9fd feat: implement comprehensive auditing and logging for compliance 
- Add CIS audit rules for system events monitoring
- Configure rsyslog for centralized security logging
- Implement logrotate for 365-day retention
- Add AIDE file integrity monitoring configuration

Audit Rules Coverage:
- System calls monitoring
- Privileged command execution
- File access and modification
- User/group information changes
- Network configuration changes
- Cron and service management
- Login and session events

Logging Features:
- Separate logs for security, admin, access, change events
- Rate limiting to prevent log flooding
- RFC 5424 format compliance
- Secure file permissions (0640)

File Integrity Monitoring:
- AIDE daily integrity checks
- Monitor critical system files and directories
- Exclude volatile filesystems (/proc, /sys, /tmp)
- Automated integrity verification

Compliance:
- CIS Benchmark 4.1: Audit and Accountability
- CMMC Level 3: AU domain (Audit and Accountability)
- FedRAMP Moderate: AU controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 13:13:09 -05:00

120 lines
3.4 KiB
Plaintext
Raw Permalink Blame History

# CIS Benchmark - Centralized Logging Configuration
# Implements CIS Debian Benchmark Section 4.2
# ============================================================================
# Global Directives
# ============================================================================
# Use RFC 5424 format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Set file permissions
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# Rate limiting to prevent log flooding
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 500
# ============================================================================
# Modules
# ============================================================================
# Load kernel module
$ModLoad imklog
# Load Mark module for periodic timestamps
$ModLoad immark
# Load UDP module for remote logging (disabled for security)
# $ModLoad imudp
# Load TCP module for remote logging (disabled for security)
# $ModLoad imtcp
# ============================================================================
# Log Destinations (Local Only - Remote Logging Disabled)
# ============================================================================
# Kernel messages
kern.* -/var/log/kern.log
# Authentication logs (CIS 4.2.1)
auth,authpriv.* -/var/log/auth.log
# System mail
mail.* -/var/log/mail.log
# Cron logs
cron.* -/var/log/cron.log
# User messages
*.=info;*.=notice;*.=warn -/var/log/messages
# Emergency messages
*.emerg :omusrmsg:*
# ============================================================================
# Security-Specific Logging
# ============================================================================
# Sudo command logging
if $programname == 'sudo' then -/var/log/sudo.log
& stop
# Audit logging
if $programname == 'auditd' then -/var/log/audit/audit.log
& stop
# Security events
if $programname contains 'security' then -/var/log/security.log
& stop
# Network events
if $programname contains 'network' then -/var/log/network.log
& stop
# WireGuard logs
if $programname == 'wg-quick' or $programname == 'wireguard' then -/var/log/wireguard.log
& stop
# Firewall logs
if $programname == 'iptables' then -/var/log/firewall.log
& stop
# ============================================================================
# Compliance Logging (CMMC/FedRAMP Requirements)
# ============================================================================
# All administrative actions
if $syslogseverity-text == 'info' and $msg contains 'user' then -/var/log/admin.log
& stop
# Failed access attempts
if $msg contains 'failure' or $msg contains 'failed' or $msg contains 'denied' then -/var/log/access.log
& stop
# System changes
if $msg contains 'changed' or $msg contains 'modified' then -/var/log/change.log
& stop
# ============================================================================
# Rate Limiting Per Facility
# ============================================================================
# Rate limit syslog messages
$Ruleset remote
$ActionQueueType LinkedList
$ActionQueueSize 100000
*.* :omusrmsg:*
# ============================================================================
# Discard Messages
# ============================================================================
# Discard debug messages
*.=debug ~
Reference in New Issue View Git Blame Copy Permalink