← Rules Catalog
mediumauditverified rollback-safe

Authenticate rsyslog remote logging server with x509 certificate

rsyslog-verify-remote-server · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must authenticate the remote logging server for off-loading audit logs. Rsyslog must be configured with ActionSendStreamDriverAuthMode set to x509/name to verify the remote server's certificate.

Rationale

Without verifying the identity of the remote logging server, audit records could be sent to a rogue server. Configuring certificate verification ensures the audit data is sent only to the authorized remote logging system.

Check → Remediate

Checkcommand
# Accept either rsyslog dialect setting authmode to x509/name:
#   legacy global directive $ActionSendStreamDriverAuthMode x509/name, or
#   modern omfwd action-object streamdriver.authmode/tls.authmode="x509/name".
# has() drops full-line comments so a commented example is not a false PASS
# (XCCDF: a commented-out authmode line is a finding). The modern
# module-block-vs-omfwd-block placement nuance remains a manual check.
has() { grep -rhsE "$1" /etc/rsyslog.conf /etc/rsyslog.d/ 2>/dev/null | grep -qv '^[[:space:]]*#'; }
if has '^[[:space:]]*\$ActionSendStreamDriverAuthMode[[:space:]]+x509/name' \
   || has '(streamdriver\.authmode|tls\.authmode)[[:space:]]*=[[:space:]]*"?x509/name"?'; then
  echo "OK: rsyslog authenticates the remote logging server (authmode x509/name)"
  exit 0
fi
echo "FAIL: rsyslog does not set authmode to x509/name (legacy or modern syntax)"
exit 1
expected_exit:
0
Remediateconfig_set_dropin
dir:
/etc/rsyslog.d
file:
00-kensa-stream-auth.conf
key:
$ActionSendStreamDriverAuthMode
value:
x509/name
restart:
rsyslog

Framework references

STIG

V-280987 / RHEL-10-200644V-258146 / RHEL-09-652040V-230482

NIST 800-53

AU-9SC-8IA-3

Live verification

rhel8:check
#audit#rsyslog#authentication#tls#stig