Closed zac90 closed 1 year ago
hi @zac90
Thank you for taking the time to raise the issues and provide the feedback. For this issue regarding the rsyslog we follow CIS control rules to keep locally is not one of the options to be compliant i'm afraid. Although you have highlighted some options that they have not yet updated in their documentation. I am currently adding these as options to ensure they are commented out. This will hopefully be into the devel branch soon.
Many thanks
uk-bolly
Describe the Issue The playbook has the option to specify whether the host is a log server or not
ubtu22cis_system_is_log_server
which is good. However, there is no option to specify the host just keeping logs locally. This affects the settings it configures in/etc/rsyslog.conf
and causes an audit to fail as it finds those lines in the fileExpected Behavior The following lines should either no appear or be commented out if the host is keeping logs to itself.
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
Actual Behavior The host is setting up ports to listen on.
Control(s) Affected 4.2.2.6 and 4.2.2.7
Possible Solution Add another variable option for when host keeps logs itself. That way rsyslog can be configured to not be listening on any ports. Then add a task that comments out those lines if that variable is set.