aide: logs not forwarded and duplicated locally

Description

The rsyslog rules for SIMP's aide module specify an input rule AFTER the remote (forwarding) rule. This rule results in

  • the logs not being forwarded to remote syslog servers

  • the logs being duplicated on the local machine.

To fix this behavior the following needs to be done:

  • The 'aide_log' and 'aide_report' rsyslog::rule::other rules need to be changed to rsyslog::rule::data_source

  • Local drop rules for this data needs to be created, using syslog::rule::local with content parameter being introduced with

Acceptance Criteria

None

Activity

Show:
Liz Nemsick
August 16, 2017, 12:32 PM

Although local logs are duplicated, it may be the case that the AIDE reports are overwritten each time AIDE runs, not appended. If that is the case, the local syslog messages should be retained. Need to check how AIDE is configured.

Trevor Vaughan
September 7, 2017, 8:01 PM

Filed a bug with CentOS about the missing option for syslog in the man page at https://bugs.centos.org/view.php?id=13777

Labels

None

Epic Link

None

Story Points

5

Components

Assignee

Liz Nemsick

Sprint

None

Affects versions

Priority

Highest
Configure