mediumauditverified ✓rollback-safe
Authenticate rsyslog remote logging server with x509 certificate
rsyslog-verify-remote-server · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must authenticate the remote logging server for off-loading audit logs. Rsyslog must be configured with ActionSendStreamDriverAuthMode set to x509/name to verify the remote server's certificate.
Rationale
Without verifying the identity of the remote logging server, audit records could be sent to a rogue server. Configuring certificate verification ensures the audit data is sent only to the authorized remote logging system.
Check → Remediate
Checkcommand
# Accept either rsyslog dialect setting authmode to x509/name:
# legacy global directive $ActionSendStreamDriverAuthMode x509/name, or
# modern omfwd action-object streamdriver.authmode/tls.authmode="x509/name".
# has() drops full-line comments so a commented example is not a false PASS
# (XCCDF: a commented-out authmode line is a finding). The modern
# module-block-vs-omfwd-block placement nuance remains a manual check.
has() { grep -rhsE "$1" /etc/rsyslog.conf /etc/rsyslog.d/ 2>/dev/null | grep -qv '^[[:space:]]*#'; }
if has '^[[:space:]]*\$ActionSendStreamDriverAuthMode[[:space:]]+x509/name' \
|| has '(streamdriver\.authmode|tls\.authmode)[[:space:]]*=[[:space:]]*"?x509/name"?'; then
echo "OK: rsyslog authenticates the remote logging server (authmode x509/name)"
exit 0
fi
echo "FAIL: rsyslog does not set authmode to x509/name (legacy or modern syntax)"
exit 1
- expected_exit:
- 0
Remediateconfig_set_dropin
- dir:
- /etc/rsyslog.d
- file:
- 00-kensa-stream-auth.conf
- key:
- $ActionSendStreamDriverAuthMode
- value:
- x509/name
- restart:
- rsyslog
Framework references
STIG
V-280987 / RHEL-10-200644V-258146 / RHEL-09-652040V-230482
NIST 800-53
AU-9SC-8IA-3
Live verification
rhel8:check
#audit#rsyslog#authentication#tls#stig