Title

Amazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Check Content

Verify Amazon Linux 2023 authenticates the remote logging server for off-loading audit logs with the following command: $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.

Fix Text

Configure Amazon Linux 2023 to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverAuthMode x509/name

Additional Identifiers

Rule ID: SV-274077r1120219_rule

Vulnerability ID: V-274077

Group Title: SRG-OS-000479-GPOS-00224

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.