{"description": "Configure <tt>rsyslog</tt> to use Transport Layer\nSecurity (TLS) support for logging to remote server\nfor the Forwarding Output Module in <tt>/etc/rsyslog.conf</tt>\nusing action. You can use the following command:\n<pre>echo 'action(type=\"omfwd\" protocol=\"tcp\" Target=\"&lt;remote system>\" port=\"6514\"\n    StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")' >> /etc/rsyslog.conf\n</pre>\nReplace the <tt>&lt;remote system></tt> in the above command with an IP address or a host name of the remote logging server.", "rationale": "For protection of data being logged, the connection to the\nremote logging server needs to be authenticated and encrypted.", "severity": "medium", "references": {"nist": ["AU-9(3)", "CM-6(a)"], "srg": ["SRG-OS-000480-GPOS-00227", "SRG-OS-000120-GPOS-00061"], "anssi": ["R71"], "ism": ["0988", "1405"]}, "control_references": {"anssi": ["R71"], "ism": ["0988", "1405"]}, "components": [], "identifiers": {}, "ocil_clause": "omfwd is not configured with gtls and AuthMode", "ocil": "To verify that rsyslog's Forwarding Output Module is configured\nto use TLS for logging to remote server, run the following command:\n<pre>$ grep omfwd /etc/rsyslog.conf /etc/rsyslog.d/*.conf</pre>\nThe output should include record similar to\n<pre>action(type=\"omfwd\" protocol=\"tcp\" Target=\"&lt;remote system>\" port=\"6514\"\n    StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")\n</pre>\nwhere the <tt>&lt;remote system></tt> present in the configuration line above must be a valid IP address or a host name of the remote logging server.", "oval_external_content": null, "fixtext": "Configure rsyslog to use Transport Layer Security (TLS) support for logging\nto remote server for the Forwarding Output Module.\n\nAdd or update the following entry in /etc/rsyslog.conf:\n\naction(type=\"omfwd\" protocol=\"tcp\" Target=\"remote system\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")\n\nReplace the remote system in the above command with an IP address or a host name of the remote logging server.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure TLS for rsyslog remote logging", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml", "template": null}