Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

문서 > Datadog 보안 > OOTB Rules > Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure any of the following lines are not found in rsyslog configuration files.

If using legacy syntax:

$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun port

If using RainerScript syntax:

module(load="imtcp")
module(load="imudp")
input(type="imtcp" port="514")
input(type="imudp" port="514")

Rationale

Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))'
rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$'

readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/)
readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/)

config_changed=false
if [ ${#legacy_targets[@]} -gt 0 ]; then
    for target in "${legacy_targets[@]}"; do
        sed -E -i "/$legacy_regex/ s/^/# /" "$target"
    done
    config_changed=true
fi

if [ ${#rainer_targets[@]} -gt 0 ]; then
    for target in "${rainer_targets[@]}"; do
        sed -E -i "/$rainer_regex/ s/^/# /" "$target"
    done
    config_changed=true
fi

if $config_changed; then
    systemctl restart rsyslog.service
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Define Rsyslog Config Lines Regex in Legacy Syntax
  ansible.builtin.set_fact:
    rsyslog_listen_legacy_regex: ^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Search for Legacy Config Lines in Rsyslog Main Config File
  ansible.builtin.find:
    paths: /etc
    pattern: rsyslog.conf
    contains: '{{ rsyslog_listen_legacy_regex }}'
  register: rsyslog_listen_legacy_main_file
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Search for Legacy Config Lines in Rsyslog Include Files
  ansible.builtin.find:
    paths: /etc/rsyslog.d/
    pattern: '*.conf'
    contains: '{{ rsyslog_listen_legacy_regex }}'
  register: rsyslog_listen_legacy_include_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Assemble List of Config Files With Listen Lines in Legacy Syntax
  ansible.builtin.set_fact:
    rsyslog_legacy_remote_listen_files: '{{ rsyslog_listen_legacy_main_file.files
      | map(attribute=''path'') | list + rsyslog_listen_legacy_include_files.files
      | map(attribute=''path'') | list }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Comment Listen Config Lines Wherever Defined Using Legacy Syntax
  ansible.builtin.replace:
    path: '{{ item }}'
    regexp: '{{ rsyslog_listen_legacy_regex }}'
    replace: '# \1'
  loop: '{{ rsyslog_legacy_remote_listen_files }}'
  register: rsyslog_listen_legacy_comment
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - rsyslog_legacy_remote_listen_files | length > 0
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Define Rsyslog Config Lines Regex in RainerScript Syntax
  ansible.builtin.set_fact:
    rsyslog_listen_rainer_regex: ^\s*(module|input)\((load|type)="(imtcp|imudp)".*$
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Search for RainerScript Config Lines in Rsyslog Main Config File
  ansible.builtin.find:
    paths: /etc
    pattern: rsyslog.conf
    contains: '{{ rsyslog_listen_rainer_regex }}'
  register: rsyslog_rainer_remote_main_file
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Search for RainerScript Config Lines in Rsyslog Include Files
  ansible.builtin.find:
    paths: /etc/rsyslog.d/
    pattern: '*.conf'
    contains: '{{ rsyslog_listen_rainer_regex }}'
  register: rsyslog_rainer_remote_include_files
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Assemble List of Config Files With Listen Lines in RainerScript
  ansible.builtin.set_fact:
    rsyslog_rainer_remote_listen_files: '{{ rsyslog_rainer_remote_main_file.files
      | map(attribute=''path'') | list + rsyslog_rainer_remote_include_files.files
      | map(attribute=''path'') | list }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Comment Listen Config Lines Wherever Defined Using RainerScript
  ansible.builtin.replace:
    path: '{{ item }}'
    regexp: '{{ rsyslog_listen_rainer_regex }}'
    replace: '# \1'
  loop: '{{ rsyslog_rainer_remote_listen_files }}'
  register: rsyslog_listen_rainer_comment
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - rsyslog_rainer_remote_listen_files | length > 0
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten

- name: Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
    - Restart Rsyslog if Any Line Were Commented Out
  ansible.builtin.service:
    name: rsyslog
    state: restarted
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - rsyslog_listen_legacy_comment is changed or rsyslog_listen_rainer_comment is changed
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_nolisten