4.11 (L1) Host must use strict x509 verification for TLS-enabled remote logging endpoints

Information

When employing remote logging with TLS-enabled endpoints, it is essential to ensure the utmost integrity and authenticity of the certificates in use. The "x509-strict" option provides a higher level of security by performing additional validity checks on CA root certificates during the verification process. This increased scrutiny ensures that only genuinely authenticated and trusted certificates are accepted, minimizing potential vulnerabilities. The parameter governing this behavior is Syslog.global.certificate.strictX509Compliance with a recommended setting of TRUE.

Ensuring stringent verification of CA root certificates provides a higher level of trust and security in the remote logging process. Adopting the "x509-strict" option minimizes the risk of accepting compromised or malicious certificates, thereby reducing the potential for data breaches, man-in-the-middle attacks, or other security compromises.

Solution

Impact:

There is no immediate functional impact from using strict x509 verification for TLS-enabled remote logging endpoints. However, organizations must ensure that their CA root certificates meet the strict criteria set by this option. If certificates do not meet these criteria, there may be disruptions in log transmissions, necessitating adjustments or updates to the certificates in use.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17, 800-53|AC-17(1), 800-53|SC-7, 800-53|SI-4, CSCv7|1.8

Plugin: VMware

Control ID: 1a6f34d826e103c20368c8378a09969849835eb5ad683cf5de07cf2d1ca336b4