NixOS must authenticate the remote logging server for off-loading audit logs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268109 | ANIX-00-000490 | SV-268109r1039595_rule | Medium |
| Description |
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72033r1039213_chk) |
| Verify the operating system authenticates the remote logging server for off-loading audit logs. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the remote destination does not specify "transport(tls)", the remote destination tls configuration does not specify "peer-verify(yes)" or "peer-verify(required-trusted)", or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding. |
| Fix Text (F-71936r1039214_fix) |
| Configure the operating system to authenticate the remote logging server for off-loading audit logs. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; For example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch |