Detections
Analytics

1.121 UBTU-22-653020

Information

The operating system audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.

GROUP ID: V-260592
RULE ID: SV-260592r958754

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.

Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Solution

Configure the audit event multiplexor to offload audit records to a different system from the system being audited.

Install the "audisp-plugins" package by using the following command:

$ sudo apt-get install audispd-plugins

Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file:

$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf

Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file:

$ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote_server_ip_address>/' /etc/audit/audisp-remote.conf

Restart the "auditd.service" for the changes to take effect:

$ sudo systemctl restart auditd.service

See Also

https://workbench.cisecurity.org/benchmarks/22168

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|III, CCI|CCI-001851, CSCv7|6.2, CSCv7|6.3, Rule-ID|SV-260592r958754_rule, STIG-ID|UBTU-22-653020, Vuln-ID|V-260592

Plugin: Unix

Control ID: 14abe87c33126199d3457a591f40c14eed352827f845ea6d5a9a62c7f40dc59e