scap-security-guide/SOURCES/scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch
2021-11-02 16:51:38 +00:00

481 lines
28 KiB
Diff

From 2f38b61e9b6b26dab05443a9bf03642971cbeeef Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 23 Jul 2021 16:32:15 -0500
Subject: [PATCH] Add new rule for RHEL-08-030710
---
.../ansible/shared.yml | 5 +++
.../bash/shared.sh | 6 +++
.../oval/shared.xml | 44 +++++++++++++++++++
.../rule.yml | 38 ++++++++++++++++
.../tests/default_no_pass.fail.sh | 7 +++
.../tests/rsyslog.pass.sh | 4 ++
.../tests/rsyslog_wrong_value.fail.sh | 4 ++
.../tests/rsyslogd.pass.sh | 4 ++
.../tests/rsyslogd_wrong_value.fail.sh | 4 ++
.../tests/setup.sh | 9 ++++
.../ansible/shared.yml | 5 +++
.../bash/shared.sh | 5 +++
.../oval/shared.xml | 44 +++++++++++++++++++
.../rule.yml | 38 ++++++++++++++++
.../tests/default_no_pass.fail.sh | 7 +++
.../tests/rsyslog.pass.sh | 4 ++
.../tests/rsyslog_wrong_value.fail.sh | 4 ++
.../tests/rsyslogd.pass.sh | 4 ++
.../tests/rsyslogd_wrong_value.fail.sh | 4 ++
.../tests/setup.sh | 9 ++++
products/rhel8/profiles/stig.profile | 2 +
shared/references/cce-redhat-avail.txt | 2 -
.../data/profile_stability/rhel8/stig.profile | 2 +
.../profile_stability/rhel8/stig_gui.profile | 2 +
24 files changed, 255 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
new file mode 100644
index 0000000000..2d6c5227a8
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+
+{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
+ parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
+}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh
new file mode 100644
index 0000000000..36853d1786
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+
+{{{ set_config_file(path="/etc/rsyslog.d/encrypt.conf",
+ parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
+}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml
new file mode 100644
index 0000000000..d21f8af1e4
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml
@@ -0,0 +1,44 @@
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Rsyslogd must encrypt the off-loading of logs off of the system.") }}}
+ <criteria operator="AND">
+ <criteria operator="OR">
+ <criterion comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"
+ test_ref="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog" />
+ <criterion comment="Check if $ActionSendStreamDriverMode 1 is set in files in /etc/rsyslog.d"
+ test_ref="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"
+ id="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog" version="1">
+
+ <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog"
+ comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"
+ version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^\$ActionSendStreamDriverMode 1$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"
+ id="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir" version="1">
+ <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir"
+ comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.d"
+ version="1">
+ <ind:path>/etc/rsyslog.d</ind:path>
+ <ind:filename operation="pattern match">^.*conf$</ind:filename>
+ <ind:pattern operation="pattern match">^\$ActionSendStreamDriverMode 1$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml
new file mode 100644
index 0000000000..1bcc33927b
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+description: |-
+ Rsyslogd is a system utility providing support for message logging. Support
+ for both internet and UNIX domain sockets enables this utility to support both local
+ and remote logging. Couple this utility with <tt>gnutls</tt> (which is a secure communications
+ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+ encrypt and off-load auditing.
+
+ When using <tt>rsyslogd</tt> to off-load logs off a encrpytion system must be used.
+
+rationale: |-
+ The audit records generated by Rsyslog contain valuable information regarding system
+ configuration, user authentication, and other such information. Audit records should be
+ protected from unauthorized access.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-86098-1
+
+references:
+ disa: CCI-001851
+ nist: AU-4(1)
+ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+ stigid@rhel8: RHEL-08-030710
+
+ocil_clause: 'rsyslogd ActionSendStreamDriverMode not set to 1'
+
+ocil: |-
+ Verify the operating system encrypts audit records off-loaded onto a different system
+ or media from the system being audited with the following commands:
+
+ <pre>$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf</pre>
+ The output should be
+ <pre>/etc/rsyslog.conf:$ActionSendStreamDriverMode 1</pre>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh
new file mode 100644
index 0000000000..3ee5384371
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+bash -x setup.sh
+
+if [[ -f encrypt.conf ]]; then
+ sed -i i/\$ActionSendStreamDriverMod//g /etc/rsyslog.d/encrypt.conf
+fi
+ sed -i i/\$ActionSendStreamDriverMod//g /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh
new file mode 100644
index 0000000000..34105aaa85
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverMode 1" >> /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh
new file mode 100644
index 0000000000..db87b2956c
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverMode 0" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh
new file mode 100644
index 0000000000..25e7cdf783
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverMode 1" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh
new file mode 100644
index 0000000000..d37882acf3
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverMode 0" >> /etc/rsyslog
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh
new file mode 100644
index 0000000000..9686f16bcc
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Use this script to ensure the rsyslog directory structure and rsyslog conf file
+# exist in the test env.
+config_file=/etc/rsyslog.conf
+
+# Ensure directory structure exists (useful for container based testing)
+test -f $config_file || touch $config_file
+
+test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
new file mode 100644
index 0000000000..2ddbfb871f
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+
+{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
+ parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
+}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh
new file mode 100644
index 0000000000..3955346cd3
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+{{{ set_config_file(path="/etc/rsyslog.d/encrypt.conf",
+ parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
+}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml
new file mode 100644
index 0000000000..71d39c179d
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml
@@ -0,0 +1,44 @@
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Rsyslogd must encrypt the off-loading of logs off of the system.") }}}
+ <criteria operator="AND">
+ <criteria operator="OR">
+ <criterion comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"
+ test_ref="test_{{{rule_id}}}_default_netstream_rsyslog" />
+ <criterion comment="Check if $DefaultNetstreamDriver gtls is set in files in /etc/rsyslog.d"
+ test_ref="test_{{{rule_id}}}_default_netstream_rsyslog_dir" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"
+ id="test_{{{rule_id}}}_default_netstream_rsyslog" version="1">
+
+ <ind:object object_ref="obj_{{{rule_id}}}_default_netstream_rsyslog" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}_default_netstream_rsyslog"
+ comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"
+ version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^\$DefaultNetstreamDriver gtls$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"
+ id="test_{{{rule_id}}}_default_netstream_rsyslog_dir" version="1">
+ <ind:object object_ref="obj_{{{rule_id}}}_default_netstream_rsyslog_dir" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}_default_netstream_rsyslog_dir"
+ comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.d"
+ version="1">
+ <ind:path>/etc/rsyslog.d</ind:path>
+ <ind:filename operation="pattern match">^.*conf$</ind:filename>
+ <ind:pattern operation="pattern match">^\$DefaultNetstreamDriver gtls$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml
new file mode 100644
index 0000000000..eff85d3fae
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: Ensure Rsyslog Encrypts Off-Loaded Audit Records
+
+description: |-
+ Rsyslogd is a system utility providing support for message logging. Support
+ for both internet and UNIX domain sockets enables this utility to support both local
+ and remote logging. Couple this utility with <tt>gnutls</tt> (which is a secure communications
+ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+ encrypt and off-load auditing.
+
+ When using <tt>rsyslogd</tt> to off-load logs off a encrpytion system must be used.
+
+rationale: |-
+ The audit records generated by Rsyslog contain valuable information regarding system
+ configuration, user authentication, and other such information. Audit records should be
+ protected from unauthorized access.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85992-6
+
+references:
+ disa: CCI-001851
+ nist: AU-4(1)
+ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+ stigid@rhel8: RHEL-08-030710
+
+ocil_clause: 'rsyslogd DefaultNetstreamDriver not set to gtls'
+
+ocil: |-
+ Verify the operating system encrypts audit records off-loaded onto a different system
+ or media from the system being audited with the following commands:
+
+ <pre>$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf</pre>
+ The output should be
+ <pre>/etc/rsyslog.conf:$DefaultNetstreamDriver gtls</pre>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh
new file mode 100644
index 0000000000..6ab43bfc0d
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+bash -x setup.sh
+
+if [[ -f encrypt.conf ]]; then
+ sed -i i/\$DefaultNetstreamDriver*.$//g /etc/rsyslog.d/encrypt.conf
+fi
+ sed -i i/\$DefaultNetstreamDriver*.$//g /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh
new file mode 100644
index 0000000000..40f1bfe087
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$DefaultNetstreamDriver gtls" >> /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh
new file mode 100644
index 0000000000..30a1d5b43a
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$DefaultNetstreamDriver none" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh
new file mode 100644
index 0000000000..44715bca66
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$DefaultNetstreamDriver gtls" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh
new file mode 100644
index 0000000000..30a1d5b43a
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$DefaultNetstreamDriver none" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh
new file mode 100644
index 0000000000..9686f16bcc
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Use this script to ensure the rsyslog directory structure and rsyslog conf file
+# exist in the test env.
+config_file=/etc/rsyslog.conf
+
+# Ensure directory structure exists (useful for container based testing)
+test -f $config_file || touch $config_file
+
+test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6372d13cfc..1cc53cf1e1 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -828,6 +828,8 @@ selections:
- auditd_overflow_action
# RHEL-08-030710
+ - rsyslog_encrypt_offload_defaultnetstreamdriver
+ - rsyslog_encrypt_offload_actionsendstreamdrivermode
# RHEL-08-030720
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 24e8149168..fdf69f6baa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -129,7 +129,6 @@ CCE-85988-4
CCE-85989-2
CCE-85990-0
CCE-85991-8
-CCE-85992-6
CCE-85993-4
CCE-85994-2
CCE-85995-9
@@ -235,7 +234,6 @@ CCE-86094-0
CCE-86095-7
CCE-86096-5
CCE-86097-3
-CCE-86098-1
CCE-86099-9
CCE-86100-5
CCE-86101-3
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 32f1a24a7a..c0ef381696 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -228,6 +228,8 @@ selections:
- require_singleuser_auth
- root_permissions_syslibrary_files
- rsyslog_cron_logging
+- rsyslog_encrypt_offload_actionsendstreamdrivermode
+- rsyslog_encrypt_offload_defaultnetstreamdriver
- rsyslog_remote_access_monitoring
- rsyslog_remote_loghost
- security_patches_up_to_date
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index d6a27c67dc..5adeea4a35 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -239,6 +239,8 @@ selections:
- require_singleuser_auth
- root_permissions_syslibrary_files
- rsyslog_cron_logging
+- rsyslog_encrypt_offload_actionsendstreamdrivermode
+- rsyslog_encrypt_offload_defaultnetstreamdriver
- rsyslog_remote_access_monitoring
- rsyslog_remote_loghost
- security_patches_up_to_date