Skip to content

Implements handler for "<OS> must authenticate the remote logging server for offloading audit logs via rsyslog" finding #617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ferricoxide merged 4 commits into from
Jan 14, 2026
Merged

Implements handler for "<OS> must authenticate the remote logging server for offloading audit logs via rsyslog" finding #617

ferricoxide merged 4 commits into from
Jan 14, 2026

Conversation

@ferricoxide
Copy link
Member

@ferricoxide ferricoxide commented Jan 14, 2026

Closes #557

When run on a system with no /etc/rsyslog.d/*.conf files containing a $ActionSendStreamDriverAuthMode setting, run-output looks like:

----------
           ID: ALMA-09-052600-description
     Function: test.show_notification
       Result: True
      Comment: ----------------------------------------
               STIG Finding ID: ALMA-09-052600
                   The OS must authenticate the remote
                   logging server for offloading audit
                   logs via rsyslog
               ----------------------------------------
      Started: 17:48:15.777285
     Duration: 0.677 ms
      Changes:
 ----------
           ID: Fix $ActionSendStreamDriverAuthMode setting in /etc/rsyslog.conf (ALMA-09-052600)
     Function: file.replace
         Name: /etc/rsyslog.conf
       Result: True
      Comment: Changes were made
      Started: 17:48:15.778113
     Duration: 6.497 ms
      Changes:
               ----------
               diff:
                   ---
                   +++
                   @@ -82,3 +82,4 @@
                    auth.* /var/log/secure
                    daemon.* /var/log/messages

                   +# Set per rule ALMA-09-052600
                   $ActionSendStreamDriverAuthMode x509/name
 ----------
           ID: Re-read rsyslog configuration-options
     Function: service.running
         Name: rsyslog.service
       Result: True
      Comment: Service restarted
      Started: 17:48:16.223369
     Duration: 853.961 ms
      Changes:
               ----------
               rsyslog.service:
                   True
 ----------

When run on a system with /etc/rsyslog.d/*.conf files containing conflicting values for the $ActionSendStreamDriverAuthMode setting, run-output looks like:

----------
          ID: ALMA-09-052600-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-052600
                  The OS must authenticate the remote
                  logging server for offloading audit
                  logs via rsyslog
              ----------------------------------------
     Started: 17:58:25.151096
    Duration: 0.716 ms
     Changes:
----------
          ID: Fix $ActionSendStreamDriverAuthMode setting in /etc/rsyslog.d/stream_driver_auth.conf (ALMA-09-052600)
    Function: file.replace
        Name: /etc/rsyslog.d/stream_driver_auth.conf
      Result: True
     Comment: Changes were made
     Started: 17:58:25.154526
    Duration: 8.325 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -1 +1 @@
                  -$ActionSendStreamDriverAuthMode x509/fingerprint
                  +$ActionSendStreamDriverAuthMode x509/name
----------
          ID: Re-read rsyslog configuration-options
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: Service restarted
     Started: 17:58:27.077816
    Duration: 748.356 ms
     Changes:
              ----------
              rsyslog.service:
                  True
------------

When run on a system with /etc/rsyslog.d/*.conf files containing conformant values for the $ActionSendStreamDriverAuthMode setting, run-output looks like:

----------
          ID: ALMA-09-052600-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-052600
                  The OS must authenticate the remote
                  logging server for offloading audit
                  logs via rsyslog
              ----------------------------------------
     Started: 17:56:45.654166
    Duration: 0.834 ms
     Changes:
----------
          ID: Fix $ActionSendStreamDriverAuthMode setting in /etc/rsyslog.d/stream_driver_auth.conf (ALMA-09-052600)
    Function: file.replace
        Name: /etc/rsyslog.d/stream_driver_auth.conf
      Result: True
     Comment: No changes needed to be made
     Started: 17:56:45.658235
    Duration: 6.184 ms
     Changes:
----------
          ID: Re-read rsyslog configuration-options
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: The service rsyslog.service is already running
     Started: 17:56:45.680265
    Duration: 2615.903 ms
     Changes:
------------

@ferricoxide ferricoxide requested a review from a team January 14, 2026 18:01
dwc0011
dwc0011 previously approved these changes Jan 14, 2026
View reviewed changes
dwc0011
dwc0011 previously approved these changes Jan 14, 2026
View reviewed changes
@ferricoxide ferricoxide merged commit 4b41e89 into plus3it:master Jan 14, 2026
10 checks passed
@ferricoxide ferricoxide deleted the Feature/Issue_557 branch January 14, 2026 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwc0011 dwc0011 dwc0011 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Compliance Setting: "OS must authenticate the remote logging server for offloading audit logs via rsyslog"

2 participants

@ferricoxide @dwc0011