Configure rsyslog to use Transport Layer
Security (TLS) support for logging to remote server
for the Forwarding Output Module in /etc/rsyslog.conf
using action. You can use the following command:
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
rsyslog_remote_loghost_address='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/>'
params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on")
params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on")
files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)")
if [ -n "${files_containing_omfwd[*]}" ]; then
for file in "${files_containing_omfwd[@]}"; do
for ((i=0; i<${#params_to_replace_if_wrong_value[@]}; i++)); do
sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file"
done
for ((i=0; i<${#params_to_add_if_missing[@]}; i++)); do
if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then
sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file"
fi
done
done
else
echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")" >> /etc/rsyslog.conf
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Remediation - Ansible
- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
set_fact:
rsyslog_remote_loghost_address: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/>
tags:
- always
- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
in rsyslog include files'
ansible.builtin.find:
paths: /etc/rsyslog.d/
pattern: '*.conf'
contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
register: rsyslog_includes_with_directive
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
in rsyslog main config file'
ansible.builtin.find:
paths: /etc
pattern: rsyslog.conf
contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
register: rsyslog_main_file_with_directive
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
to be inserted if entirely missing'
ansible.builtin.set_fact:
rsyslog_parameters_to_add_if_missing:
- protocol
- target
- port
- StreamDriver
- StreamDriverMode
- StreamDriverAuthMode
- streamdriver.CheckExtendedKeyPurpose
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
be inserted if entirely missing'
ansible.builtin.set_fact:
rsyslog_values_to_add_if_missing:
- tcp
- '{{ rsyslog_remote_loghost_address }}'
- '6514'
- gtls
- '1'
- x509/name
- 'on'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
to be replaced if defined with wrong values'
ansible.builtin.set_fact:
rsyslog_parameters_to_replace_if_wrong_value:
- protocol
- StreamDriver
- StreamDriverMode
- StreamDriverAuthMode
- streamdriver.CheckExtendedKeyPurpose
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
be replaced when having wrong value'
ansible.builtin.set_fact:
rsyslog_values_to_replace_if_wrong_value:
- tcp
- gtls
- '1'
- x509/name
- 'on'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: assemble list of files with existing
directives'
ansible.builtin.set_fact:
rsyslog_files: '{{ rsyslog_includes_with_directive.files | map(attribute=''path'')
| list + rsyslog_main_file_with_directive.files | map(attribute=''path'') |
list }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: try to fix existing directives'
block:
- name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
by adjusting the value'
ansible.builtin.replace:
path: '{{ item[0] }}'
regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"[\s\S]*)({{ item[1][0] | regex_escape()
}}\s*=\s*"\S*")([\s\S]*\))$
replace: \1{{ item[1][0] }}="{{ item[1][1] }}"\3
loop: '{{ rsyslog_files | product (rsyslog_parameters_to_replace_if_wrong_value
| zip(rsyslog_values_to_replace_if_wrong_value)) | list }}'
- name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
by adding parameter and value'
ansible.builtin.replace:
path: '{{ item[0] }}'
regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"(?:[\s\S](?!{{ item[1][0] |
regex_escape() }}))*.)(\))$
replace: \1 {{ item[1][0] }}="{{ item[1][1] }}" \2
loop: '{{ rsyslog_files | product (rsyslog_parameters_to_add_if_missing | zip(rsyslog_values_to_add_if_missing))
| list }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- rsyslog_includes_with_directive.matched or rsyslog_main_file_with_directive.matched
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls
- name: 'Configure TLS for rsyslog remote logging: Add missing rsyslog directive'
ansible.builtin.lineinfile:
dest: /etc/rsyslog.conf
line: action(type="omfwd" protocol="tcp" Target="{{ rsyslog_remote_loghost_address
}}" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name"
streamdriver.CheckExtendedKeyPurpose="on")
create: true
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- not rsyslog_includes_with_directive.matched and not rsyslog_main_file_with_directive.matched
tags:
- CCE-89194-5
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
- configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- rsyslog_remote_tls