Skip to content

Addresses "<OS> must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog" finding #619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ferricoxide merged 6 commits into from
Jan 16, 2026
Merged

Addresses "<OS> must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog" finding #619

ferricoxide merged 6 commits into from
Jan 16, 2026

Conversation

@ferricoxide
Copy link
Member

@ferricoxide ferricoxide commented Jan 16, 2026

If the ash-linux:lookup:rsyslog:collector_host Pillar value is set, this automation will attempt to configure the rsyslog service to forward all logged activity to the host declared via the ash-linux:lookup:rsyslog:collector_host Pillar value.

Closes #555

@ferricoxide
Update from TEMPLATE
83dc639
@ferricoxide
Add replace/append logic
b44e254
@ferricoxide
Separate actions for rsyslog.conf from rsyslog.d files
580d797 
Duplicative automation, but prevents repeated configuration content *in* the
possible target files
@ferricoxide
Update example pillar content
61e551b 
If a site actually uses rsyslog for log-data offload, pull the
destination from Pillar
@ferricoxide
Activate RHEL-09-652055
3d79c51
@ferricoxide
Restart service as necessary
aa3f828
@ferricoxide
Copy link
Member Author

ferricoxide commented Jan 16, 2026

Testing output:

Content executes on Red Hat and Oracle Enterprise Linux, Alma and Rocky Linux and CentOS Stream 9. Testing-outup from Alma Linux 9 shown.

Pillar-Value not declared:

----------
          ID: ALMA-09-053040-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-053040
                  The OS must be configured to forward
                  audit records via TCP to a different
                  system or media from the system
                  being audited via rsyslog
              ----------------------------------------
     Started: 16:34:31.118517
    Duration: 0.796 ms
     Changes:
----------
          ID: No Collector Specified (ALMA-09-053040)
    Function: test.show_notification
      Result: True
     Comment: No syslog collector hostname/IP found in Pillar-data
     Started: 16:34:31.119452
    Duration: 0.524 ms
     Changes:
----------
          ID: Re-read rsyslog configuration-options (ALMA-09-053040)
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: The service rsyslog.service is already running
     Started: 16:34:31.135215
    Duration: 2023.537 ms
     Changes:
------------

Pillar-Value declared:

Value not set anywhere (/etc/rsyslog.conf or /etc/rsyslog.d/*.conf):

----------
          ID: ALMA-09-053040-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-053040
                  The OS must be configured to forward
                  audit records via TCP to a different
                  system or media from the system
                  being audited via rsyslog
              ----------------------------------------
     Started: 15:14:17.780931
    Duration: 0.898 ms
     Changes:
----------
          ID: Set log-destination in /etc/rsyslog.conf to syslog.lab via TCP (ALMA-09-053040)
    Function: file.replace
        Name: /etc/rsyslog.conf
      Result: True
     Comment: Changes were made
     Started: 15:14:17.782004
    Duration: 5.868 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -88,3 +88,4 @@
                   # Set per rule ALMA-09-052710
                   $ActionSendStreamDriverMode 1

                  +# Set per rule ALMA-09-053040
                  *.* @@syslog.lab
----------
          ID: Re-read rsyslog configuration-options (ALMA-09-053040)
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: Service restarted
     Started: 15:14:17.697575
    Duration: 852.21 ms
     Changes:
              ----------
              rsyslog.service:
                  True
------------

Value Set — Overriding existing forwarding via TCP:

----------
          ID: ALMA-09-053040-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-053040
                  The OS must be configured to forward
                  audit records via TCP to a different
                  system or media from the system
                  being audited via rsyslog
              ----------------------------------------
     Started: 16:13:29.351035
    Duration: 0.739 ms
     Changes:
----------
          ID: Set log-destination in /etc/rsyslog.conf to syslog.lab via TCP (ALMA-09-053040)
    Function: file.replace
        Name: /etc/rsyslog.conf
      Result: True
     Comment: Changes were made
     Started: 16:13:29.354279
    Duration: 19.083 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -88,4 +88,4 @@
                   # Set per rule ALMA-09-052710
                   $ActionSendStreamDriverMode 1

                  -*.* @@syslog1.lab
                  +*.* @@syslog.lab
----------
          ID: Re-read rsyslog configuration-options (ALMA-09-053040)
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: Service restarted
     Started: 16:13:29.697575
    Duration: 852.21 ms
     Changes:
              ----------
              rsyslog.service:
                  True
------------

Value Set — Overriding forwarding via UDP:

----------
          ID: ALMA-09-053040-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-053040
                  The OS must be configured to forward
                  audit records via TCP to a different
                  system or media from the system
                  being audited via rsyslog
              ----------------------------------------
     Started: 16:16:43.055175
    Duration: 0.724 ms
     Changes:
----------
          ID: Set log-destination in /etc/rsyslog.d/log_offload.conf to syslog.lab via TCP (ALMA-09-053040)
    Function: file.replace
        Name: /etc/rsyslog.d/log_offload.conf
      Result: True
     Comment: Changes were made
     Started: 16:16:43.057705
    Duration: 11.714 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -1 +1 @@
                  -*.* @syslog.lab
                  +*.* @@syslog.lab
----------
          ID: Re-read rsyslog configuration-options (ALMA-09-053040)
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: Service restarted
     Started: 16:16:43.697575
    Duration: 852.21 ms
     Changes:
              ----------
              rsyslog.service:
                  True
------------

Value Set — Overriding forwarding via RELP:

----------
          ID: ALMA-09-053040-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-053040
                  The OS must be configured to forward
                  audit records via TCP to a different
                  system or media from the system
                  being audited via rsyslog
              ----------------------------------------
     Started: 16:29:08.656310
    Duration: 0.73 ms
     Changes:
----------
          ID: Set log-destination in /etc/rsyslog.d/log_offload.conf to syslog.lab via TCP (ALMA-09-053040)
    Function: file.replace
        Name: /etc/rsyslog.d/log_offload.conf
      Result: True
     Comment: Changes were made
     Started: 16:29:08.658637
    Duration: 11.615 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -1 +1 @@
                  -*.* :omrelp:syslog.lab:3514
                  +*.* @@syslog.lab
----------
          ID: Re-read rsyslog configuration-options (ALMA-09-053040)
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: Service restarted
     Started: 16:29:08.697575
    Duration: 852.21 ms
     Changes:
              ----------
              rsyslog.service:
                  True
------------

Valid value already set:

----------
          ID: ALMA-09-053040-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-053040
                  The OS must be configured to forward
                  audit records via TCP to a different
                  system or media from the system
                  being audited via rsyslog
              ----------------------------------------
     Started: 16:21:29.118384
    Duration: 0.758 ms
     Changes:
----------
          ID: Set log-destination in /etc/rsyslog.d/log_offload.conf to syslog.lab via TCP (ALMA-09-053040)
    Function: file.replace
        Name: /etc/rsyslog.d/log_offload.conf
      Result: True
     Comment: No changes needed to be made
     Started: 16:21:29.120873
    Duration: 7.729 ms
     Changes:
------------
          ID: Re-read rsyslog configuration-options (ALMA-09-053040)
    Function: service.running
        Name: rsyslog.service
      Result: True
     Comment: The service rsyslog.service is already running
     Started: 16:21:29.616971
    Duration: 1941.668 ms
     Changes:
------------

@ferricoxide ferricoxide requested a review from a team January 16, 2026 17:04
eemperor
eemperor reviewed Jan 16, 2026
View reviewed changes
@ferricoxide ferricoxide merged commit 303ca0a into plus3it:master Jan 16, 2026
10 checks passed
@ferricoxide ferricoxide deleted the Feature/Issue_555 branch January 16, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eemperor eemperor eemperor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@ferricoxide @eemperor