UBTU-18-010007 - The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.


Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.


Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

# sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:

# sudo sed -i -E 's/actives*=s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:

# sudo sed -i -E 's/(remote_servers*=).*/1 <remote addr>/' audisp-remote.conf

where <remote addr> must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

# sudo systemctl restart auditd.service

See Also


Item Details

References: CAT|III, CCI|CCI-001851, Rule-ID|SV-219153r853361_rule, STIG-ID|UBTU-18-010007, STIG-Legacy|SV-109635, STIG-Legacy|V-100531, Vuln-ID|V-219153

Plugin: Unix

Control ID: 03d939aa1c28e134ccbf9f38127e233167150c3a7a42075fcf42964a176e37e0