Detections
Analytics

4.1.2.13 Ensure off-loaded audit logs are labeled.

Information

The operating system must label all off-loaded audit logs before sending them to the central log server.

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.

Solution

Edit the /etc/audisp/audispd.conf file and add or update the name_format option:

Example: vim /etc/audisp/audispd.conf

Add the name format to include hostname, fqd, or numeric.

Example:

name_format = hostname

The audit daemon must be restarted for changes to take effect:

# service auditd restart

See Also

https://workbench.cisecurity.org/benchmarks/8415

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, CSCv7|6.2, Rule-ID|SV-204508r603261_rule, STIG-ID|RHEL-07-030211, Vuln-ID|V-204508

Plugin: Unix

Control ID: 9125c9f6a4304b73352e83e8176bfe8e78aed0feb181fb35598866aa7a38360c