Ubuntu Security Recommendation on Logging

by Free Linux
4 min read
Add Comment

A. Install and configure Rsyslog

Rsyslog is the recommended syslog server on Linux, and has replaced the “syslogd” program. It is has better features and improvements such as TCP log transmission, encryption and can log to database.

1. Install the package

apt install rsyslog

2. Verify if rsyslog is installed

dpkg -s rsyslog

3. Verify if rsyslog is enabled

systemctl is-enabled rsyslog

If not enable, execute the commands to enable rsyslog

systemctl –now enable rsyslog

4. Configure logging
Note: Configuration file is /etc/rsyslog.conf and additional files are located under /etc/rsyslog.d/ directory

Here’s a sample configuration of /etc/rsyslog.conf

*.emerg                                          :omusrmsg:*
auth,authpriv.*                             /var/log/auth.log
mail.*                                              -/var/log/mail mail.info
mail.warning                                -/var/log/mail.warn
mail.err                                         /var/log/mail.err
news.crit                                       -/var/log/news/news.crit
news.err                                        -/var/log/news/news.err
news.notice                                 -/var/log/news/news.notice
*.=warning;*.=err                        -/var/log/warn
*.crit                                              /var/log/warn
*.*;mail.none;news.none          -/var/log/messages
local0,local1.*                              -/var/log/localmessages
local2,local3.*                              -/var/log/localmessages
local4,local5.*                             -/var/log/localmessages
local6,local7.*                             -/var/log/localmessages

Reload the configuration:

systemctl reload rsyslog

5. Set rsyslog for default file permission

Recommendation: (/etc/rsyslog.conf and /etc/rsyslog.d/*.conf)

$FileCreateMode 0640

6. Configure to accept authorized hosts
This is to provide security to only accept from authorized IPs or hosts and protect from spoofed logs.
There are 2 options for providing remote syslog reception:

a. UDP (faster but not that reliable)

Old config:

$ModLoad imudp
$UDPServerRun 514

New config:

module(load=”imudp”)
input(type=”imudp” port=”514″)

b. TCP (slower but reliable)

Old config:

$ModLoad imtcp
$InputTCPServerRun 514

New config:

module(load=”imtcp”)
input(type=”imtcp” port=”514″)

7. Configure to send logs remotely
-it is recommended to send logs to a centralised remote syslog server

Under the /etc/rsyslog.conf, add the following config

*. * @@192.168.2.254:514

where:
*.* -> to send all the logs to remote host
@@ -> directs logs to the server (can be FQDN or IP), it will use TCP
192.168.2.254 –> is the remote syslog host
514 –> port number

To take effect all the changes, restart the rsyslog process

systemctl stop rsyslog
systemctl start rsyslog

 

B.  Configure systemd-journald

systemd-journald is a system service that collects and stores logging data. It creates and maintains structured, indexed
journals based on logging information that is received from a variety of sources:

  • Kernel log messages, via kmsg
  • Simple system log messages, via the libc syslog(3) call
  • Structured system log messages via the native Journal API
  • Standard output and standard error of system services
  • Audit records

1. Configure journald to send logs to syslog
Under the /etc/systemd/journald.conf, uncomment to enable

ForwardToSyslog=yes

2. Configure to compress large log files
Under the /etc/systemd/journald.conf, uncomment to enable

Compress=yes

3. Configure to write logs to persistent disk
This can help to protect from loss upon server reboot
Under the /etc/systemd/journald.conf, uncomment to enable

Storage=persistent

 

C. Configure logrotate 
Two files that need to look through as per your requirement and policy
a. /etc/logrotate.d/rsyslog
Here’s sample settings:

/var/log/syslog
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

b. /etc/logrotate.conf
Here’s sample settings:
# rotate log files weekly
weekly

/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

Note: Make sure to set the correct permissions. Under the /etc/logrotate.conf, should be “create 0640 root utmp”

About the author

Free Linux

View all posts

Leave a Reply