UCF STIG Viewer Logo

The audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215053 UBTU-16-020210 SV-215053r610931_rule Medium
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
STIG Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide 2020-12-09

Details

Check Text ( C-16252r466246_chk )
Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.

Check that the records are being off-loaded to a remote server with the following command:

# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.

If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.
Fix Text (F-16250r466247_fix)
Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.

Set the "active" option in "/etc/audisp/plugins.d/au-remote.conf" to "yes":

active = yes

In order for the changes to take effect, the audit daemon must be restarted. The audit daemon can be restarted with the following command:

# sudo systemctl restart auditd.service