Detections
Analytics

4.1.2.11 Ensure off-load of audit logs - type

Information

The operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Without the configuration of the 'au-remote' plugin, the audisp-remote daemon will not off load the logs from the system being audited.

Solution

Edit the /etc/audisp/plugins.d/au-remote.conf file and add, uncomment or update the following values:
Example: vim /etc/audisp/plugins.d/au-remote.conf
Add uncomment or update the following lines:

direction = out
path = /sbin/audisp-remote
type = always

The audit daemon must be restarted for changes to take effect:

# service auditd restart

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CCI|CCI-001851, CSCv7|6.2, Rule-ID|SV-204506r603261_rule, STIG-ID|RHEL-07-030201

Plugin: Unix

Control ID: 0988871d322ad7bc0830eea3e07d8caff18c6627d2339b165964a20bbcd15a23