An error occurred:

Check: ANIX-00-000490

Anduril NixOS STIG: ANIX-00-000490 (in version v1 r2)

Title

NixOS must authenticate the remote logging server for off-loading audit logs. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Check Content

Verify the operating system authenticates the remote logging server for off-loading audit logs. List the configured destinations with the following command: $ grep -i "TrustedCertificateFile" /etc/systemd/journal-upload.conf" If no TrustedCertificateFile is configured or is set to "all", this is a finding.

Fix Text

Configure the operating system to authenticate the remote logging server for off-loading audit logs. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; For example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; ... ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268109r1131023_rule

Vulnerability ID: V-268109

Group Title: SRG-OS-000051-GPOS-00024

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000154

Provide the capability to centrally review and analyze audit records from multiple components within the system.
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage
AU-6(4)

Central Review and Analysis