KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b98a20cae82d8b4af567ffbbb61be9199f195985
football/config/50-cis-logging.conf
Charles N Wyble 1339705f9d progress snapshot
2026-01-21 08:33:09 -05:00

102 lines
2.9 KiB
Plaintext
Raw Blame History

# CIS Debian 13 Benchmark - Security Logging Configuration
# Implements CIS recommendations for enhanced security logging
# Enhanced authorization logging
auth,authpriv.* /var/log/security/auth.log
auth,authpriv.* @@remoteserver:514
# System logs with security tag
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none /var/log/security/messages
# Kernel messages
kern.* /var/log/security/kern.log
# Security events
security.* /var/log/security/security.log
# Audit events (from auditd)
audit.* /var/log/security/audit.log
# User login/logout logs
login.* /var/log/security/login.log
# Sudo commands
local2.* /var/log/security/sudo.log
# Failed logins
authpriv.*;auth.* /var/log/security/failed.log
# Application specific logs
mail.* -/var/log/security/mail.log
cron.* /var/log/security/cron.log
daemon.* /var/log/security/daemon.log
# Network logs
network.* /var/log/security/network.log
# Security alerts
*.alert /var/log/security/alerts.log
*.emerg :omusrmsg:*
*.=emerg :omusrmsg:*
# Console logging
*.=crit;*.=err;*.=warning |/dev/xconsole
# Remote logging to security team (if configured)
# *.* @@logserver.domain.tld:514
# Filter duplicate messages
$RepeatedMsgReduction on
# Set default permissions for log files
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0027
# Ensure all logs include timestamp and hostname
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Rate limiting to prevent log flooding
$SystemLogRateLimitInterval 60
$SystemLogRateLimitBurst 1000
# Discard duplicate messages within 30 seconds
$RepeatedMsgReductionInterval 30
# Include additional configuration files
$IncludeConfig /etc/rsyslog.d/*.conf
# Preserve security log integrity
:msg, contains, "security" /var/log/security/security.log
:msg, contains, "failed login" /var/log/security/failed.log
:msg, contains, "sudo" /var/log/security/sudo.log
:msg, contains, "audit" /var/log/security/audit.log
# Create separate logs for different security domains
$RuleSet remote
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
& ~
# Enable journald to rsyslog forwarding
$ModLoad imjournal
$OmitLocalLogging on
# Preserve FQDN in logs
$PreserveFQDN on
# Add process ID to all log entries
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Ensure backward compatibility
$ModLoad compat
# Queue settings for reliability
$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
Reference in New Issue View Git Blame Copy Permalink