From 2f38b61e9b6b26dab05443a9bf03642971cbeeef Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Fri, 23 Jul 2021 16:32:15 -0500

Subject: [PATCH] Add new rule for RHEL-08-030710

---

 .../ansible/shared.yml                        |  5 +++

 .../bash/shared.sh                            |  6 +++

 .../oval/shared.xml                           | 44 +++++++++++++++++++

 .../rule.yml                                  | 38 ++++++++++++++++

 .../tests/default_no_pass.fail.sh             |  7 +++

 .../tests/rsyslog.pass.sh                     |  4 ++

 .../tests/rsyslog_wrong_value.fail.sh         |  4 ++

 .../tests/rsyslogd.pass.sh                    |  4 ++

 .../tests/rsyslogd_wrong_value.fail.sh        |  4 ++

 .../tests/setup.sh                            |  9 ++++

 .../ansible/shared.yml                        |  5 +++

 .../bash/shared.sh                            |  5 +++

 .../oval/shared.xml                           | 44 +++++++++++++++++++

 .../rule.yml                                  | 38 ++++++++++++++++

 .../tests/default_no_pass.fail.sh             |  7 +++

 .../tests/rsyslog.pass.sh                     |  4 ++

 .../tests/rsyslog_wrong_value.fail.sh         |  4 ++

 .../tests/rsyslogd.pass.sh                    |  4 ++

 .../tests/rsyslogd_wrong_value.fail.sh        |  4 ++

 .../tests/setup.sh                            |  9 ++++

 products/rhel8/profiles/stig.profile          |  2 +

 shared/references/cce-redhat-avail.txt        |  2 -

 .../data/profile_stability/rhel8/stig.profile |  2 +

 .../profile_stability/rhel8/stig_gui.profile  |  2 +

 24 files changed, 255 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh

 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml

new file mode 100644

index 0000000000..2d6c5227a8

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml

@@ -0,0 +1,5 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+

+{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",

+             parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")

+}}}

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh

new file mode 100644

index 0000000000..36853d1786

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/bash/shared.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+

+{{{ set_config_file(path="/etc/rsyslog.d/encrypt.conf",

+             parameter="\$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")

+}}}

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml

new file mode 100644

index 0000000000..d21f8af1e4

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/oval/shared.xml

@@ -0,0 +1,44 @@

+

+<def-group>

+    <definition class="compliance" id="{{{ rule_id }}}" version="1">

+        {{{ oval_metadata("Rsyslogd must encrypt the off-loading of logs off of the system.") }}}

+        <criteria operator="AND">

+            <criteria operator="OR">

+                 

+                            test_ref="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog" />

+                

+                            test_ref="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir" />

+            </criteria>

+        </criteria>

+    </definition>

+

+    

+                                comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"

+                                id="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog" version="1">

+

+        <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog" />

+    </ind:textfilecontent54_test>

+

+    

+                                    comment="Check if  $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"

+                                    version="1">

+        <ind:filepath>/etc/rsyslog.conf</ind:filepath>

+        <ind:pattern operation="pattern match">^\$ActionSendStreamDriverMode 1$</ind:pattern>

+        <ind:instance datatype="int">1</ind:instance>

+    </ind:textfilecontent54_object>

+

+    

+                                comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf"

+                                id="test_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir" version="1">

+        <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_mode_rsyslog_dir" />

+    </ind:textfilecontent54_test>

+

+    

+                                    comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.d"

+                                    version="1">

+        <ind:path>/etc/rsyslog.d</ind:path>

+        <ind:filename operation="pattern match">^.*conf$</ind:filename>

+        <ind:pattern operation="pattern match">^\$ActionSendStreamDriverMode 1$</ind:pattern>

+        <ind:instance datatype="int">1</ind:instance>

+    </ind:textfilecontent54_object>

+</def-group>

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml

new file mode 100644

index 0000000000..1bcc33927b

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/rule.yml

@@ -0,0 +1,38 @@

+documentation_complete: true

+

+title: Ensure Rsyslog Encrypts Off-Loaded Audit Records

+

+description: |-

+  Rsyslogd is a system utility providing support for message logging. Support

+  for both internet and UNIX domain sockets enables this utility to support both local

+  and remote logging.  Couple this utility with <tt>gnutls</tt> (which is a secure communications

+  library implementing the SSL, TLS and DTLS protocols), and you have a method to securely

+  encrypt and off-load auditing.

+

+  When using <tt>rsyslogd</tt> to off-load logs off a encrpytion system must be used.

+

+rationale: |-

+    The audit records generated by Rsyslog contain valuable information regarding system

+    configuration, user authentication, and other such information. Audit records should be

+    protected from unauthorized access.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: CCE-86098-1

+

+references:

+    disa: CCI-001851

+    nist: AU-4(1)

+    srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224

+    stigid@rhel8: RHEL-08-030710

+

+ocil_clause: 'rsyslogd ActionSendStreamDriverMode not set to 1'

+

+ocil: |-

+    Verify the operating system encrypts audit records off-loaded onto a different system

+    or media from the system being audited with the following commands:

+

+    
$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

+    The output should be

+    
/etc/rsyslog.conf:$ActionSendStreamDriverMode 1

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh

new file mode 100644

index 0000000000..3ee5384371

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/default_no_pass.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+bash -x setup.sh

+

+if [[ -f encrypt.conf ]]; then

+  sed -i i/\$ActionSendStreamDriverMod//g /etc/rsyslog.d/encrypt.conf

+fi

+  sed -i i/\$ActionSendStreamDriverMod//g /etc/rsyslog.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh

new file mode 100644

index 0000000000..34105aaa85

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$ActionSendStreamDriverMode 1" >> /etc/rsyslog.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh

new file mode 100644

index 0000000000..db87b2956c

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslog_wrong_value.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$ActionSendStreamDriverMode 0" >> /etc/rsyslog.d/encrypt.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh

new file mode 100644

index 0000000000..25e7cdf783

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$ActionSendStreamDriverMode 1" >> /etc/rsyslog.d/encrypt.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh

new file mode 100644

index 0000000000..d37882acf3

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/rsyslogd_wrong_value.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$ActionSendStreamDriverMode 0" >> /etc/rsyslog

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh

new file mode 100644

index 0000000000..9686f16bcc

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/tests/setup.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+# Use this script to ensure the rsyslog directory structure and rsyslog conf file

+# exist in the test env.

+config_file=/etc/rsyslog.conf

+

+# Ensure directory structure exists (useful for container based testing)

+test -f $config_file || touch $config_file

+

+test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml

new file mode 100644

index 0000000000..2ddbfb871f

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml

@@ -0,0 +1,5 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+

+{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",

+                    parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")

+}}}

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh

new file mode 100644

index 0000000000..3955346cd3

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/bash/shared.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+{{{ set_config_file(path="/etc/rsyslog.d/encrypt.conf",

+                    parameter="\$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")

+}}}

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml

new file mode 100644

index 0000000000..71d39c179d

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/oval/shared.xml

@@ -0,0 +1,44 @@

+

+<def-group>

+    <definition class="compliance" id="{{{ rule_id }}}" version="1">

+        {{{ oval_metadata("Rsyslogd must encrypt the off-loading of logs off of the system.") }}}

+        <criteria operator="AND">

+            <criteria operator="OR">

+                 

+                            test_ref="test_{{{rule_id}}}_default_netstream_rsyslog" />

+                

+                            test_ref="test_{{{rule_id}}}_default_netstream_rsyslog_dir" />

+            </criteria>

+        </criteria>

+    </definition>

+

+    

+                                comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"

+                                id="test_{{{rule_id}}}_default_netstream_rsyslog" version="1">

+

+        <ind:object object_ref="obj_{{{rule_id}}}_default_netstream_rsyslog" />

+    </ind:textfilecontent54_test>

+

+    

+                                    comment="Check if  $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"

+                                    version="1">

+        <ind:filepath>/etc/rsyslog.conf</ind:filepath>

+        <ind:pattern operation="pattern match">^\$DefaultNetstreamDriver gtls$</ind:pattern>

+        <ind:instance datatype="int">1</ind:instance>

+    </ind:textfilecontent54_object>

+

+    

+                                comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf"

+                                id="test_{{{rule_id}}}_default_netstream_rsyslog_dir" version="1">

+        <ind:object object_ref="obj_{{{rule_id}}}_default_netstream_rsyslog_dir" />

+    </ind:textfilecontent54_test>

+

+    

+                                    comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.d"

+                                    version="1">

+        <ind:path>/etc/rsyslog.d</ind:path>

+        <ind:filename operation="pattern match">^.*conf$</ind:filename>

+        <ind:pattern operation="pattern match">^\$DefaultNetstreamDriver gtls$</ind:pattern>

+        <ind:instance datatype="int">1</ind:instance>

+    </ind:textfilecontent54_object>

+</def-group>

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml

new file mode 100644

index 0000000000..eff85d3fae

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/rule.yml

@@ -0,0 +1,38 @@

+documentation_complete: true

+

+title: Ensure Rsyslog Encrypts Off-Loaded Audit Records

+

+description: |-

+  Rsyslogd is a system utility providing support for message logging. Support

+  for both internet and UNIX domain sockets enables this utility to support both local

+  and remote logging.  Couple this utility with <tt>gnutls</tt> (which is a secure communications

+  library implementing the SSL, TLS and DTLS protocols), and you have a method to securely

+  encrypt and off-load auditing.

+

+  When using <tt>rsyslogd</tt> to off-load logs off a encrpytion system must be used.

+

+rationale: |-

+    The audit records generated by Rsyslog contain valuable information regarding system

+    configuration, user authentication, and other such information. Audit records should be

+    protected from unauthorized access.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: CCE-85992-6

+

+references:

+    disa: CCI-001851

+    nist: AU-4(1)

+    srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224

+    stigid@rhel8: RHEL-08-030710

+

+ocil_clause: 'rsyslogd DefaultNetstreamDriver not set to gtls'

+

+ocil: |-

+    Verify the operating system encrypts audit records off-loaded onto a different system

+    or media from the system being audited with the following commands:

+

+    
$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

+    The output should be

+    
/etc/rsyslog.conf:$DefaultNetstreamDriver gtls

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh

new file mode 100644

index 0000000000..6ab43bfc0d

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/default_no_pass.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+bash -x setup.sh

+

+if [[ -f encrypt.conf ]]; then

+  sed -i i/\$DefaultNetstreamDriver*.$//g /etc/rsyslog.d/encrypt.conf

+fi

+  sed -i i/\$DefaultNetstreamDriver*.$//g /etc/rsyslog.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh

new file mode 100644

index 0000000000..40f1bfe087

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$DefaultNetstreamDriver gtls" >> /etc/rsyslog.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh

new file mode 100644

index 0000000000..30a1d5b43a

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslog_wrong_value.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$DefaultNetstreamDriver none" >> /etc/rsyslog.d/encrypt.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh

new file mode 100644

index 0000000000..44715bca66

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd.pass.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$DefaultNetstreamDriver gtls" >> /etc/rsyslog.d/encrypt.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh

new file mode 100644

index 0000000000..30a1d5b43a

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/rsyslogd_wrong_value.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+bash -x setup.sh

+

+echo "\$DefaultNetstreamDriver none" >> /etc/rsyslog.d/encrypt.conf

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh

new file mode 100644

index 0000000000..9686f16bcc

--- /dev/null

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/tests/setup.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+# Use this script to ensure the rsyslog directory structure and rsyslog conf file

+# exist in the test env.

+config_file=/etc/rsyslog.conf

+

+# Ensure directory structure exists (useful for container based testing)

+test -f $config_file || touch $config_file

+

+test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 6372d13cfc..1cc53cf1e1 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -828,6 +828,8 @@ selections:

     - auditd_overflow_action

     # RHEL-08-030710

+    - rsyslog_encrypt_offload_defaultnetstreamdriver

+    - rsyslog_encrypt_offload_actionsendstreamdrivermode

     # RHEL-08-030720

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 24e8149168..fdf69f6baa 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -129,7 +129,6 @@ CCE-85988-4

 CCE-85989-2

 CCE-85990-0

 CCE-85991-8

-CCE-85992-6

 CCE-85993-4

 CCE-85994-2

 CCE-85995-9

@@ -235,7 +234,6 @@ CCE-86094-0

 CCE-86095-7

 CCE-86096-5

 CCE-86097-3

-CCE-86098-1

 CCE-86099-9

 CCE-86100-5

 CCE-86101-3

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 32f1a24a7a..c0ef381696 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -228,6 +228,8 @@ selections:

 - require_singleuser_auth

 - root_permissions_syslibrary_files

 - rsyslog_cron_logging

+- rsyslog_encrypt_offload_actionsendstreamdrivermode

+- rsyslog_encrypt_offload_defaultnetstreamdriver

 - rsyslog_remote_access_monitoring

 - rsyslog_remote_loghost

 - security_patches_up_to_date

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index d6a27c67dc..5adeea4a35 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -239,6 +239,8 @@ selections:

 - require_singleuser_auth

 - root_permissions_syslibrary_files

 - rsyslog_cron_logging

+- rsyslog_encrypt_offload_actionsendstreamdrivermode

+- rsyslog_encrypt_offload_defaultnetstreamdriver

 - rsyslog_remote_access_monitoring

 - rsyslog_remote_loghost

 - security_patches_up_to_date