Rule ID
SV-272432r1123950_rule
Version
V3R2
CCIs
CCI-001348
Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on a defined frequency helps to ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.
Verify that the BIND 9.x server is configured to send audit logs to at least two syslog servers.
Note: syslog and local file channel must be defined for every defined category.
Inspect the "named.conf" file for the following:
logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
If a logging channel is not defined for each syslog, this is a finding.
If a category is not defined to send messages to the syslog channels, this is a finding.Configure the "logging" statement to send audit logs to the syslog daemons.
logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
};
logging {
channel <syslog_channel> {
syslog <syslog_facility>;
};
category <category_name> { <syslog_channel>; };
};
Note: It is recommended to use a local syslog facility (i.e., local0 -7) when configuring the syslog channel.
Restart the BIND 9.x process.