Sun Ray server does not send logs to syslog server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16393	SUN0340	SV-17386r1_rule	ECAR-1 ECAR-2 ECAR-3	Low

Description
Remote logging is essential in monitoring servers and detecting intrusion. If an intruder is able to obtain root on a host, they may be able to edit the system logs to remove all traces of the attack. If the logs are stored off the machine, they can be analyzed for suspicious activity and used for prosecuting the attacker. Centralized log monitoring and storage is a critical component of incident response and assuring the integrity of system logs.

Description

Remote logging is essential in monitoring servers and detecting intrusion. If an intruder is able to obtain root on a host, they may be able to edit the system logs to remove all traces of the attack. If the logs are stored off the machine, they can be analyzed for suspicious activity and used for prosecuting the attacker. Centralized log monitoring and storage is a critical component of incident response and assuring the integrity of system logs.

STIG	Date
Sun Ray 4 STIG	2015-04-02

Details

Check Text ( C-17271r1_chk )
On the Sun Ray server, examine the /etc/syslog.conf file. To send all syslog data from the Sun Ray server to a remote syslog host, search for the following line(s) in the /etc/syslog.conf file: . @loghost (name of remote host) OR *.debug, info, …@loghost At a minimum, the following two log files must be configured to send their logs to a remote syslog server: Log Name Facility Level Default Location messages user.info /var/opt/SUNWut/log/messages admin_log local1.info /var/opt/SUNWut/log/admin_log Verify the loghost referred to in the syslog.conf file is not resolving to the localhost. Check /etc/hosts file to review what the remote host is referring to. If it is not in this file, check the DNS server to determine what it is resolving to. If it is resolving to localhost, this is a finding.

Check Text ( C-17271r1_chk )

On the Sun Ray server, examine the /etc/syslog.conf file.
To send all syslog data from the Sun Ray server to a remote syslog host, search for the following line(s) in the /etc/syslog.conf file:
*.* @loghost (name of remote host)

OR

*.debug, info, …@loghost

At a minimum, the following two log files must be configured to send their logs to a remote syslog server:

Log Name Facility Level Default Location
messages user.info /var/opt/SUNWut/log/messages
admin_log local1.info /var/opt/SUNWut/log/admin_log

Verify the loghost referred to in the syslog.conf file is not resolving to the localhost. Check /etc/hosts file to review what the remote host is referring to. If it is not in this file, check the DNS server to determine what it is resolving to. If it is resolving to localhost, this is a finding.

Fix Text (F-16423r1_fix)
Configure the Sun Ray server to send its logs to a remote syslog server.