Title

Amazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Check Content

Verify Amazon Linux 2023 encrypts audit records off-loaded onto a different system or media from the system being audited via rsyslog with the following command: $ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverMode 1 If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding.

Fix Text

Configure Amazon Linux 2023 to encrypt off-loaded audit records via rsyslog by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverMode 1

Additional Identifiers

Rule ID: SV-274078r1120222_rule

Vulnerability ID: V-274078

Group Title: SRG-OS-000479-GPOS-00224

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.