← Rules Catalog
mediumauditverified rollback-safe

Configure rsyslog to offload audit records to a remote server

rsyslog-remote-server · RHEL ≥ 8 · 1 impl

Description

RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited. Rsyslog must be configured with a remote server using TCP (@@) forwarding.

Rationale

Storing audit records only on the audited system means that if the system is compromised, the attacker can modify or destroy the audit trail. Off-loading audit records to a remote server provides an independent copy of the audit data that cannot be modified by a local attacker.

Check → Remediate

Checkcommand
grep -E '^\s*\*\.\*\s+@@' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null | grep -v '^\s*#'
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/rsyslog.d
file:
00-kensa-remote.conf
key:
*.*
value:
@@{{ rsyslog_remote_server }}
restart:
rsyslog

Framework references

STIG

V-280985 / RHEL-10-200642V-258149 / RHEL-09-652055V-230479

NIST 800-53

AU-4AU-9

Live verification

rhel8:check
#audit#rsyslog#remote#stig