STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Anduril NixOS Security Technical Implementation Guide

V-268109

CAT II (Medium)

NixOS must authenticate the remote logging server for off-loading audit logs.

Rule ID

SV-268109r1131023_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000154, CCI-001851

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Check Content

Verify the operating system authenticates the remote logging server for off-loading audit logs.

List the configured destinations with the following command:

$ grep -i "TrustedCertificateFile" /etc/systemd/journal-upload.conf"

If no TrustedCertificateFile is configured or is set to "all", this is a finding.

Fix Text

Configure the operating system to authenticate the remote logging server for off-loading audit logs.

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

  destination d_network {
   syslog(
    "<remote-logging-server>" port(<port>)
    transport(tls)
    tls(
     cert-file("/var/syslog-ng/certs.d/certificate.crt")
     key-file("/var/syslog-ng/certs.d/certificate.key")
     ca-file("/var/syslog-ng/certs.d/cert-bundle.crt")
     peer-verify(yes)
    )
   );
  };

  log { source(s_local); destination(d_local); destination(d_network); };

For example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured):

 services.rsyslogd.extraConfig = ''
   ...
   destination d_network {
    syslog(
     "<remote-logging-server>" port(<port>)
     transport(tls)
     tls(
      cert-file("/var/syslog-ng/certs.d/certificate.crt")
      key-file("/var/syslog-ng/certs.d/certificate.key")
      ca-file("/var/syslog-ng/certs.d/cert-bundle.crt")
      peer-verify(yes)
     )
    );
   };

   log { source(s_local); destination(d_local); destination(d_network); };
   ...
  '';

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch