UCF STIG Viewer Logo

The audit system must take appropriate action when the network cannot be used to off-load audit records.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215140 UBTU-16-030430 SV-215140r610931_rule Medium
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
STIG Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide 2020-12-09

Details

Check Text ( C-16339r285288_chk )
Verify that the audit system takes appropriate action if the network cannot be used to off-load audit records.

Check what action will take place if the network connection fails with the following command:

# sudo grep -iw "network_failure" /etc/audisp/audisp-remote.conf

network_failure_action = stop

If the value of the “network_failure_action” option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Fix Text (F-16337r285289_fix)
Configure the Ubuntu operating system to take appropriate action when the network cannot be used to off-load audit records.

Add, edit or uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example:

network_failure_action = single