Enable rsyslog Service
The 'rsyslog' service provides syslog-style logging by default on RHEL 7.
The 'rsyslog' service can be enabled with the following command:
'$ sudo systemctl enable rsyslog'
Configure Logwatch HostLimit Line
On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate
on the logserver itself. The 'HostLimit' setting tells Logwatch to report on all hosts, not just the one on which it
is running.
' HostLimit = no '
Configure Logwatch SplitHosts Line
If 'SplitHosts' is set, Logwatch will separate entries by hostname. This makes the report longer but significantly
more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that
information is almost always necessary
' SplitHosts = yes '
Disable Logwatch on Clients if a Logserver Exists
Does your site have a central logserver which has been configured to report on logs received from all systems?
If so:
$ sudo rm /etc/cron.daily/0logwatch
If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central
logserver provides the security and reliability benefits discussed earlier, and ...
Enable auditd Service
The 'auditd' service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
The 'auditd' service can be enabled with the following command:
'$ sudo systemctl enable auditd'
Record Attempts to Alter Time Through stime
If the 'auditd' daemon is configured to use the
'augenrules' program to read audit rules during daemon startup (the
default), add the following line to a file with suffix '.rules' in the
directory '/etc/audit/rules.d' for both 32 bit and 64 bit systems:
'-a always,exit -F arch=b32 -S stime -k audit_time_rules'
Since the 64 bit version of the "stime" sys ...
Record Attempts to Alter Logon and Logout Events
The audit system already collects login info for all users and root. To watch for attempted manual edits of
files involved in storing logon events, add the following to '/etc/audit/audit.rules':
'-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins'
Ensure auditd Collects Information on the Use of Privileged Commands
At a minimum the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition