Title

NixOS must have the packages required for offloading audit logs installed and running. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000269-GPOS-00103

Check Content

Verify that the systemd-journald service is running with the following command: $ systemctl status systemd-journald.service systemd-journald.service - Journal Service Loaded: loaded (/etc/systemd/system/systemd-journald.service; enabled; preset: ignored) Drop-In: /nix/store/z8klzmxqgpmn8ganwrsqizy3qdxnirr8-system-units/systemd-journald.service.d +-overrides.conf Active: active (running) since Mon 2025-03-10 10:41:08 PDT; 1 day 2h ago If the systemd-journald.service is not "active" and "running", this is a finding.

Fix Text

Configure the operating system to off-load audit logs. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.journald.audit = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268107r1131017_rule

Vulnerability ID: V-268107

Group Title: SRG-OS-000051-GPOS-00024

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.