The CA API Gateway must off-load audit records onto a different system or media than the system being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71569	CAGW-DM-000350	SV-86193r1_rule		Low

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

STIG	Date
CA API Gateway NDM Security Technical Implementation Guide	2016-09-20

Details

Check Text ( C-71947r1_chk )
Verify by confirming the following lines are part of "rsyslogd.conf": # auditd audit.log $ModLoad imfile $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor Further verify that this line is also part of the rsyslogd.conf file: local6.* @@loghost.ca.com If "rsyslogd.conf" does not contain the above lines, this is a finding.

Check Text ( C-71947r1_chk )

Verify by confirming the following lines are part of "rsyslogd.conf":

# auditd audit.log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

Further verify that this line is also part of the rsyslogd.conf file:
local6.* @@loghost.ca.com

If "rsyslogd.conf" does not contain the above lines, this is a finding.

Fix Text (F-77893r1_fix)
Setup steps: Configure rsyslogd to monitor "/var/log/auditd/auditd.log" file for updates by adding stanza: # auditd audit.log $ModLoad imfile $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor to the "/etc/rsyslogd.conf" file. Note: This creates audit log entries for facility "local6" and priority "info." This can be changed to suite. Configure "rsyslogd" to forward this combination (local6.info) to the appropriate loghost by adding logging rule to the rule section of the "rsyslogd.conf" file: local6.* @@loghost.ca.com Note that the syntax "@@loghost.ca.com" means that the records are forwarded via TCP. A single "@" before the remote loghost would mean the records are forwarded via UDP.

Fix Text (F-77893r1_fix)

Setup steps:

Configure rsyslogd to monitor "/var/log/auditd/auditd.log" file for updates by adding stanza:

# auditd audit.log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

to the "/etc/rsyslogd.conf" file.

Note: This creates audit log entries for facility "local6" and priority "info." This can be changed to suite.

Configure "rsyslogd" to forward this combination (local6.info) to the appropriate loghost by adding logging rule to the rule section of the "rsyslogd.conf" file:

local6.* @@loghost.ca.com

Note that the syntax "@@loghost.ca.com" means that the records are forwarded via TCP.

A single "@" before the remote loghost would mean the records are forwarded via UDP.