NixOS must have the packages required for offloading audit logs installed and running.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268107 | ANIX-00-000460 | SV-268107r1039594_rule | CCI-000154 | medium |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000269-GPOS-00103 | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 | |||
Details
Check Text (C-268107r1039594_chk)
Verify that the syslog-ng service is running with the following command:
$ systemctl status syslog-ng.service
syslog-ng.service - syslog-ng daemon
Loaded: loaded (/etc/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago
If the syslog-ng service is not "active" and "running", this is a finding.
Fix Text (F-71934r1039208_fix)
Configure the operating system to offload audit logs.
Install the syslog-ng service (if the syslog-ng service is not already installed) and ensure the syslog-ng service is enabled by adding or updating the following configuration in /etc/nixos/configuration.nix:
services.syslog-ng.enable = true;
Rebuild the NixOS configuration with the following command:
$ sudo nixos-rebuild switch