The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268108	SRG-OS-000051-GPOS-00024	ANIX-00-000480	SV-268108r1039573_rule	2024-10-25	1

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.

ℹ️ Check
Verify the audit system off-loads audit records onto a different system or media from the system being audited. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system \| grep syslog-ng.service)/syslog-ng.service \| awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the configuration does not specify a "log" directive for sources to be sent to a remote destination, or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.

ℹ️ Check

Verify the audit system off-loads audit records onto a different system or media from the system being audited. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the configuration does not specify a "log" directive for sources to be sent to a remote destination, or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.

✔️ Fix
Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the syslog-ng configuration. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) }; log { source(s_local); destination(d_network); }; For example, an updated configuration of services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) ... }; log { source(s_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

✔️ Fix

Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the syslog-ng configuration. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) }; log { source(s_local); destination(d_network); }; For example, an updated configuration of services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) ... }; log { source(s_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch