Configure TLS for rsyslog remote logging

An XCCDF Rule

Description

Configure rsyslog to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in /etc/rsyslog.conf using action. You can use the following command:

echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514"
    StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf

Replace the <remote system> in the above command with an IP address or a host name of the remote logging server.

Rationale

For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted.

ID: xccdf_org.ssgproject.content_rule_rsyslog_remote_tls
Severity: Medium
References: BP28(R43)

0988 1405

AU-9(3) CM-6(a)

FCS_TLSC_EXT.1 FIA_X509_EXT.1.1 FMT_SMF_EXT.1.1 FTP_ITC_EXT.1.1

SRG-OS-000120-GPOS-00061 SRG-OS-000480-GPOS-00227
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

rsyslog_remote_loghost_address='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/>'

params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on")
params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on")

files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)")
if [ -n "${files_containing_omfwd[*]}" ]; then
    for file in "${files_containing_omfwd[@]}"; do
        for ((i=0; i<${#params_to_replace_if_wrong_value[@]}; i++)); do
            sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file"
        done
        for ((i=0; i<${#params_to_add_if_missing[@]}; i++)); do
            if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then
                sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file"
            fi
        done
    done
else
    echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")"  >> /etc/rsyslog.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
  set_fact:
    rsyslog_remote_loghost_address: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/>
  tags:
    - always
- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
    in rsyslog include files'
  ansible.builtin.find:
    paths: /etc/rsyslog.d/
    pattern: '*.conf'
    contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
  register: rsyslog_includes_with_directive
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
    in rsyslog main config file'
  ansible.builtin.find:
    paths: /etc
    pattern: rsyslog.conf
    contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
  register: rsyslog_main_file_with_directive
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
    to be inserted if entirely missing'
  ansible.builtin.set_fact:
    rsyslog_parameters_to_add_if_missing:
    - protocol
    - target
    - port
    - StreamDriver
    - StreamDriverMode
    - StreamDriverAuthMode
    - streamdriver.CheckExtendedKeyPurpose
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
    be inserted if entirely missing'
  ansible.builtin.set_fact:
    rsyslog_values_to_add_if_missing:
    - tcp
    - '{{ rsyslog_remote_loghost_address }}'
    - '6514'
    - gtls
    - '1'
    - x509/name
    - 'on'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
    to be replaced if defined with wrong values'
  ansible.builtin.set_fact:
    rsyslog_parameters_to_replace_if_wrong_value:
    - protocol
    - StreamDriver
    - StreamDriverMode
    - StreamDriverAuthMode
    - streamdriver.CheckExtendedKeyPurpose
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
    be replaced when having wrong value'
  ansible.builtin.set_fact:
    rsyslog_values_to_replace_if_wrong_value:
    - tcp
    - gtls
    - '1'
    - x509/name
    - 'on'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: assemble list of files with existing
    directives'
  ansible.builtin.set_fact:
    rsyslog_files: '{{ rsyslog_includes_with_directive.files | map(attribute=''path'')
      | list + rsyslog_main_file_with_directive.files | map(attribute=''path'') |
      list }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: try to fix existing directives'
  block:

  - name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
      by adjusting the value'
    ansible.builtin.replace:
      path: '{{ item[0] }}'
      regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"[\s\S]*)({{ item[1][0] | regex_escape()
        }}\s*=\s*"\S*")([\s\S]*\))$
      replace: \1{{ item[1][0] }}="{{ item[1][1] }}"\3
    loop: '{{ rsyslog_files | product (rsyslog_parameters_to_replace_if_wrong_value
      | zip(rsyslog_values_to_replace_if_wrong_value)) | list }}'

  - name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
      by adding parameter and value'
    ansible.builtin.replace:
      path: '{{ item[0] }}'
      regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"(?:[\s\S](?!{{ item[1][0] |
        regex_escape() }}))*.)(\))$
      replace: \1 {{ item[1][0] }}="{{ item[1][1] }}" \2
    loop: '{{ rsyslog_files | product (rsyslog_parameters_to_add_if_missing | zip(rsyslog_values_to_add_if_missing))
      | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - rsyslog_includes_with_directive.matched or rsyslog_main_file_with_directive.matched
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: Add missing rsyslog directive'
  ansible.builtin.lineinfile:
    dest: /etc/rsyslog.conf
    line: action(type="omfwd" protocol="tcp" Target="{{ rsyslog_remote_loghost_address
      }}" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name"
      streamdriver.CheckExtendedKeyPurpose="on")
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - not rsyslog_includes_with_directive.matched and not rsyslog_main_file_with_directive.matched
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

Configure TLS for rsyslog remote logging

Description

Rationale

Remediation - Shell Script

Remediation - Ansible