The audit system must take appropriate action when the network cannot be used to off-load audit records.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-75859	UBTU-16-030430	SV-90539r2_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

STIG	Date
Canonical Ubuntu 16.04 Security Technical Implementation Guide	2020-05-29

Details

Check Text ( C-75547r2_chk )
Verify that the audit system takes appropriate action if the network cannot be used to off-load audit records. Check what action will take place if the network connection fails with the following command: # sudo grep -iw "network_failure" /etc/audisp/audisp-remote.conf network_failure_action = stop If the value of the “network_failure_action” option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Check Text ( C-75547r2_chk )

Verify that the audit system takes appropriate action if the network cannot be used to off-load audit records.

Check what action will take place if the network connection fails with the following command:

# sudo grep -iw "network_failure" /etc/audisp/audisp-remote.conf

network_failure_action = stop

If the value of the “network_failure_action” option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text (F-82489r1_fix)
Configure the Ubuntu operating system to take appropriate action when the network cannot be used to off-load audit records. Add, edit or uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example: network_failure_action = single