← Rules Catalog
mediumauditverified

Encrypt rsyslog audit record transfer with GNUTLS

rsyslog-encrypt-connection · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or storage media from the system being audited. Rsyslog must be configured to use the gtls network stream driver with stream driver mode set to 1 (TLS).

Rationale

If audit records are transferred without encryption, a man-in-the-middle attacker could intercept or modify the audit data in transit. Encrypting the transfer ensures the integrity and confidentiality of the audit records.

Check → Remediate

Checkcommand
grep -qE '^\s*\$DefaultNetstreamDriver\s+gtls' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null && grep -qE '^\s*\$ActionSendStreamDriverMode\s+1' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null
expected_exit:
0
Remediatemanual
note:
Configure rsyslog to encrypt off-loaded audit records by adding these lines to /etc/rsyslog.conf or /etc/rsyslog.d/[customfile].conf: $DefaultNetstreamDriver gtls $ActionSendStreamDriverMode 1 Then restart the rsyslog service.

Framework references

STIG

V-280989 / RHEL-10-200646V-258147 / RHEL-09-652045V-258148 / RHEL-09-652050V-230481

NIST 800-53

AU-9SC-8

Live verification

rhel8:check
#audit#rsyslog#encryption#tls#stig