lynis
lynis copied to clipboard
CISOfy
Remote Logging test for AWS CloudWatch Agent
Is your feature request related to a problem? Please describe.
In the Checking remote logging test, it doesn't seem that lynis is aware of AWS CloudWatch Agent, which can be configured to send logs to a CloudWatch log stream for both EC2 instances and on-prem servers.
Describe the solution you'd like
I think finding the amazon cloudwatch agent configuration file and checking to see that the logs list has contents could work. I think the configuration path is typically /opt/aws/amazon-cloudwatch-agent/bin/config.json.
Using jq, here is an example of validating that this agent is configured for remote logging (as opposed to just metrics collection):
$ cat /opt/aws/amazon-cloudwatch-agent/bin/config.json | jq '.logs.logs_collected.files.collect_list | length'
3
In this case there are three logs that are being sent remotely to CloudWatch. Example contents of these three log file configurations is as follows:
$ cat /opt/aws/amazon-cloudwatch-agent/bin/config.json | jq '.logs.logs_collected.files.collect_list'
[
{
"file_path": "/var/log/auth.log",
"log_group_name": "auth.log",
"log_stream_name": "{instance_id}",
"retention_in_days": 90
},
{
"file_path": "/var/log/kern.log",
"log_group_name": "kern.log",
"log_stream_name": "{instance_id}",
"retention_in_days": 90
},
{
"file_path": "/var/log/syslog",
"log_group_name": "syslog",
"log_stream_name": "{instance_id}",
"retention_in_days": 90
}
]
And of course, validating that the service is even running:
$ sudo systemctl status amazon-cloudwatch-agent
Required changes A new tests needs to be added.
There is also a log-config.json file that could be checked to see if it exists and contains contents other than {}.
$ cat /opt/aws/amazon-cloudwatch-agent/etc/log-config.json
{"version":"1","log_configs":[{"log_group_name":"auth.log"},{"log_group_name":"kern.log"},{"log_group_name":"syslog"}],"region":"us-east-2"}