Ensure Rsyslog Encrypts Off-Loaded Audit Records
An XCCDF Rule
Description
Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls
(which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd
to off-load logs off an encryption system must be used.
Rationale
The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access.
- ID
- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
block:
- name: Deduplicate values from /etc/rsyslog.conf
lineinfile:
path: /etc/rsyslog.conf
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then
LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf"