The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-268108 | SRG-OS-000051-GPOS-00024 | ANIX-00-000480 | SV-268108r1131020_rule | 2025-08-19 | 1 |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. |
| ℹ️ Check |
|---|
| Verify the audit system off-loads audit records onto a different system or media from the system being audited. List the configured destinations with the following command: $ grep -i "Url" /etc/systemd/journal-upload.conf" If no URL is configured, this is a finding. |
| ✔️ Fix |
|---|
| Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the systemd-journald configuration. On the client, modify /etc/nixos/configuration.nix or /etc/nixos/flake.nix to include the following lines: services.journald.upload = { enable = true; Upload = { ServerKeyFile = $PATH_TO_CLIENT_PEM_SSL_KEY; URL = $URL_OF_REMOTE_SERVER; ServerCertificateFile = $PATH_TO_SSL_CERT; TrustedCertificateFile = $PATH_TO_SERVER_CERT; }; }; } On the server, modify /etc/nixos/configuration.nix or /etc/nixos/flake.nix to include the following lines: services.journald.remote = { enable = true; listen = "https"; URL = $URL_OF_REMOTE_SERVER; ServerKeyFile = $PATH_TO_SERVER_PEM_SSL_KEY; ServerCertificateFile = $PATH_TO_SSL_CERT; }; }; |