- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
The rsyslog
daemon should not accept remote messages unless the system acts as a log
server. To ensure that it is not listening on the network, ensure any of the following lines
are not found in rsyslog
configuration files.
If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port
If using RainerScript syntax:
module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")
Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then
legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))'
rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$'
readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/)
readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/)
config_changed=false
if [ ${#legacy_targets[@]} -gt 0 ]; then
for target in "${legacy_targets[@]}"; do
sed -E -i "/$legacy_regex/ s/^/# /" "$target"
done
config_changed=true
fi
if [ ${#rainer_targets[@]} -gt 0 ]; then
for target in "${rainer_targets[@]}"; do
sed -E -i "/$rainer_regex/ s/^/# /" "$target"
done
config_changed=true
fi
if $config_changed; then
systemctl restart rsyslog.service
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Define Rsyslog Config Lines Regex in Legacy Syntax
ansible.builtin.set_fact:
rsyslog_listen_legacy_regex: ^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for Legacy Config Lines in Rsyslog Main Config File
ansible.builtin.find:
paths: /etc
pattern: rsyslog.conf
contains: '{{ rsyslog_listen_legacy_regex }}'
register: rsyslog_listen_legacy_main_file
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for Legacy Config Lines in Rsyslog Include Files
ansible.builtin.find:
paths: /etc/rsyslog.d/
pattern: '*.conf'
contains: '{{ rsyslog_listen_legacy_regex }}'
register: rsyslog_listen_legacy_include_files
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Assemble List of Config Files With Listen Lines in Legacy Syntax
ansible.builtin.set_fact:
rsyslog_legacy_remote_listen_files: '{{ rsyslog_listen_legacy_main_file.files
| map(attribute=''path'') | list + rsyslog_listen_legacy_include_files.files
| map(attribute=''path'') | list }}'
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Comment Listen Config Lines Wherever Defined Using Legacy Syntax
ansible.builtin.replace:
path: '{{ item }}'
regexp: '{{ rsyslog_listen_legacy_regex }}'
replace: '# \1'
loop: '{{ rsyslog_legacy_remote_listen_files }}'
register: rsyslog_listen_legacy_comment
when:
- '"kernel" in ansible_facts.packages'
- rsyslog_legacy_remote_listen_files | length > 0
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Define Rsyslog Config Lines Regex in RainerScript Syntax
ansible.builtin.set_fact:
rsyslog_listen_rainer_regex: ^\s*(module|input)\((load|type)="(imtcp|imudp)".*$
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for RainerScript Config Lines in Rsyslog Main Config File
ansible.builtin.find:
paths: /etc
pattern: rsyslog.conf
contains: '{{ rsyslog_listen_rainer_regex }}'
register: rsyslog_rainer_remote_main_file
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Search for RainerScript Config Lines in Rsyslog Include Files
ansible.builtin.find:
paths: /etc/rsyslog.d/
pattern: '*.conf'
contains: '{{ rsyslog_listen_rainer_regex }}'
register: rsyslog_rainer_remote_include_files
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Assemble List of Config Files With Listen Lines in RainerScript
ansible.builtin.set_fact:
rsyslog_rainer_remote_listen_files: '{{ rsyslog_rainer_remote_main_file.files
| map(attribute=''path'') | list + rsyslog_rainer_remote_include_files.files
| map(attribute=''path'') | list }}'
when: '"kernel" in ansible_facts.packages'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Comment Listen Config Lines Wherever Defined Using RainerScript
ansible.builtin.replace:
path: '{{ item }}'
regexp: '{{ rsyslog_listen_rainer_regex }}'
replace: '# \1'
loop: '{{ rsyslog_rainer_remote_listen_files }}'
register: rsyslog_listen_rainer_comment
when:
- '"kernel" in ansible_facts.packages'
- rsyslog_rainer_remote_listen_files | length > 0
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten
- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
- Restart Rsyslog if Any Line Were Commented Out
ansible.builtin.service:
name: rsyslog
state: restarted
when:
- '"kernel" in ansible_facts.packages'
- rsyslog_listen_legacy_comment is changed or rsyslog_listen_rainer_comment is changed
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_nolisten