search

ansible-lockdown / UBUNTU22-CIS

Ansible role for Ubuntu22 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
181 stars 80 forks source link

Rule 4.2.2.6 and 4.2.2.7 rsyslog config #54

Closed zac90 closed 1 year ago

zac90 commented 1 year ago

Describe the Issue The playbook has the option to specify whether the host is a log server or not ubtu22cis_system_is_log_server which is good. However, there is no option to specify the host just keeping logs locally. This affects the settings it configures in /etc/rsyslog.conf and causes an audit to fail as it finds those lines in the file

Expected Behavior The following lines should either no appear or be commented out if the host is keeping logs to itself. $ModLoad imtcp $InputTCPServerRun port $ModLoad imudp $UDPServerRun port $ModLoad imrelp $InputRELPServerRun port

Actual Behavior The host is setting up ports to listen on.

Control(s) Affected 4.2.2.6 and 4.2.2.7

Possible Solution Add another variable option for when host keeps logs itself. That way rsyslog can be configured to not be listening on any ports. Then add a task that comments out those lines if that variable is set.

uk-bolly commented 1 year ago

hi @zac90

Thank you for taking the time to raise the issues and provide the feedback. For this issue regarding the rsyslog we follow CIS control rules to keep locally is not one of the options to be compliant i'm afraid. Although you have highlighted some options that they have not yet updated in their documentation. I am currently adding these as options to ensure they are commented out. This will hopefully be into the devel branch soon.

Many thanks

uk-bolly