mediumauditverified ✓
Encrypt rsyslog audit record transfer with GNUTLS
rsyslog-encrypt-connection · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or storage media from the system being audited. Rsyslog must be configured to use the gtls network stream driver with stream driver mode set to 1 (TLS).
Rationale
If audit records are transferred without encryption, a man-in-the-middle attacker could intercept or modify the audit data in transit. Encrypting the transfer ensures the integrity and confidentiality of the audit records.
Check → Remediate
Checkcommand
grep -qE '^\s*\$DefaultNetstreamDriver\s+gtls' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null && grep -qE '^\s*\$ActionSendStreamDriverMode\s+1' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null
- expected_exit:
- 0
Remediatemanual
- note:
- Configure rsyslog to encrypt off-loaded audit records by adding these lines to /etc/rsyslog.conf or /etc/rsyslog.d/[customfile].conf: $DefaultNetstreamDriver gtls $ActionSendStreamDriverMode 1 Then restart the rsyslog service.
Framework references
STIG
V-280989 / RHEL-10-200646V-258147 / RHEL-09-652045V-258148 / RHEL-09-652050V-230481
NIST 800-53
AU-9SC-8
Live verification
rhel8:check
#audit#rsyslog#encryption#tls#stig