mediumauditverified ✓rollback-safe
Configure rsyslog to offload audit records to a remote server
rsyslog-remote-server · RHEL ≥ 8 · 1 impl
Description
RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. Rsyslog must be configured with a remote server using TCP (@@) forwarding.
Rationale
Storing audit records only on the audited system means that if the system is compromised, the attacker can modify or destroy the audit trail. Off-loading audit records to a remote server provides an independent copy of the audit data that cannot be modified by a local attacker.
Check → Remediate
Checkcommand
grep -E '^\s*\*\.\*\s+@@' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null | grep -v '^\s*#'
- expected_exit:
- 0
Remediateconfig_set_dropin
- dir:
- /etc/rsyslog.d
- file:
- 00-kensa-remote.conf
- key:
- *.*
- value:
- @@{{ rsyslog_remote_server }}
- restart:
- rsyslog
Framework references
STIG
V-280985 / RHEL-10-200642V-258149 / RHEL-09-652055V-230479
NIST 800-53
AU-4AU-9
Live verification
rhel8:check
#audit#rsyslog#remote#stig