Auditd should be alllowed to log to syslog

[trevor-vaughan]

Description of problem:

For check xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action, SYSLOG should be an acceptable behavior.

Many systems may prefer automated log analysis instead of checking an e-mail account for consistent enterprise-grade reporting.

SCAP Security Guide Version:

0.1.36

Operating System Version:

EL 7

[redhatrises]

@trevor-vaughan this is a customizable setting in SSG. You can tailor the content to use syslog instead of email.

[trevor-vaughan]

@redhatrises So, can we change the default to syslog since that is what matches LSPP and let people toggle it to email for those that have email systems?

[redhatrises]

@trevor-vaughan the STIG asks for email by default. The ospp profile on the other hand I am sure could be changed to match that.

[trevor-vaughan]

Hmm...is there an OSPP profile for the Email server? If not, doesn't that have to come first?

Also, we'll need to update the STIG checks to cover setting up local mail accounts. That might be a direct DISA issue I suppose.

I'm assuming postfix due to lack of insanity (sort of).

[redhatrises]

Also, we'll need to update the STIG checks to cover setting up local mail accounts

Don't think so. This can be sent from the root account without setting up mail accounts. One example from the AIDE cron:

mail -s "aide integrity check run for <system name>" recipient@mydomain.com

[trevor-vaughan]

Sure, but this is assuming that there is somewhere to send it.

This can't be a safe assumption. I suppose you could add into the docs that an email server must be present on the network.

BUT, remote email is not reliable and may fail to send. You must use the local mail system to send to a remote system so that you get notification of failed messages. Given that these are security-relevant messages, I'm assuming that dropping them is not OK.

[redhatrises]

Closing as this is handled by tailoring the file to change from email to syslog.