Ensure Rsyslog Authenticates Off-Loaded Audit Records

An XCCDF Rule

Description

Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs the remote system must be authenticated. Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):

$ActionSendStreamDriverAuthMode x509/name

Alternatively, use the RainerScript syntax:

action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")

Rationale

The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.

ID: xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
Severity: Medium
References: CCI-001851

AU-4(1)

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224

RHEL-08-030720

CCE-86339-9

SV-230482r958754_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86339-9
  - DISA-STIG-RHEL-08-030720  - NIST-800-53-AU-4(1)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_encrypt_offload_actionsendstreamdriverauthmode

- name: Ensure Rsyslog Authenticates Off-Loaded Audit Records
  block:

  - name: Deduplicate values from /etc/rsyslog.conf
    lineinfile:
      path: /etc/rsyslog.conf
      create: false
      regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
      state: absent

  - name: Check if /etc/rsyslog.d exists
    stat:
      path: /etc/rsyslog.d
    register: _etc_rsyslog_d_exists

  - name: Check if the parameter $ActionSendStreamDriverAuthMode is present in /etc/rsyslog.d
    find:
      paths: /etc/rsyslog.d
      recurse: 'yes'
      follow: 'no'
      contains: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
    register: _etc_rsyslog_d_has_parameter
    when: _etc_rsyslog_d_exists.stat.isdir is defined and _etc_rsyslog_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/rsyslog.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
      state: absent
    with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
    when: _etc_rsyslog_d_has_parameter.matched

  - name: Insert correct line to /etc/rsyslog.conf
    lineinfile:
      path: /etc/rsyslog.conf
      create: true
      regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
      line: $ActionSendStreamDriverAuthMode x509/name
      state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-86339-9
  - DISA-STIG-RHEL-08-030720
  - NIST-800-53-AU-4(1)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_encrypt_offload_actionsendstreamdriverauthmode

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2> /dev/null

if [ -e "/etc/rsyslog.d/stream_driver_auth.conf" ] ; then    
    LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverAuthMode /Id" "/etc/rsyslog.d/stream_driver_auth.conf"
else
    touch "/etc/rsyslog.d/stream_driver_auth.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/rsyslog.d/stream_driver_auth.conf"

cp "/etc/rsyslog.d/stream_driver_auth.conf" "/etc/rsyslog.d/stream_driver_auth.conf.bak"
# Insert at the end of the file
printf '%s\n' "\$ActionSendStreamDriverAuthMode x509/name" >> "/etc/rsyslog.d/stream_driver_auth.conf"
# Clean up after ourselves.
rm "/etc/rsyslog.d/stream_driver_auth.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure Rsyslog Authenticates Off-Loaded Audit Records

Description

Rationale

Remediation - Ansible

Remediation - Shell Script