Rule ID
SV-274020r1193303_rule
Version
V1R3
CCIs
CCI-000154, CCI-001851
Successful incident response and auditing relies on timely, accurate system information and analysis allow the organization to identify and respond to potential incidents in a proficient manner. If Amazon Linux 2023 does not provide the ability to centrally review Amazon Linux 2023 logs, forensic analysis is negatively impacted. Segregation of logging data to multiple disparate computer systems is counterproductive and makes log analysis and log event alarming difficult to implement and manage, particularly when the system has multiple logging components writing to different locations or systems. To support the centralized capability, Amazon Linux 2023 must be able to provide the information in a format that can be extracted and used, allowing the application performing the centralization of the log records to meet this requirement. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000479-GPOS-00224
Verify Amazon Linux 2023 is configured to collect system failure events with the following command: $ dnf list --installed rsyslog Installed Packages rsyslog.x86_64 8.2204.0-3.amzn2023.0.4 @amazonlinux If the "rsyslog" package is not installed, this is a finding. Check that the log service is enabled with the following command: systemctl is-enabled rsyslog enabled If the command above returns "disabled", this is a finding.
Configure Amazon Linux 2023 to monitor all remote access methods by installing rsyslog with the following command: $ sudo dnf install -y rsyslog Enable the log service with the following command: $ sudo systemctl enable --now rsyslog