UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-219162 UBTU-18-010025 SV-219162r610963_rule Low
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
STIG Date
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide 2021-03-10

Details

Check Text ( C-20887r466198_chk )
Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

# sudo dpkg -s audispd-plugins

If status is "not installed", verify that another method to off-load audit logs has been implemented.

Check that the records are being off-loaded to a remote server with the following command:

# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.

If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.
Fix Text (F-20886r304815_fix)
Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

# sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:

# sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:

# sudo sed -i -E 's/(remote_server\s*=).*/\1 /' audisp-remote.conf

where must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

# sudo systemctl restart auditd.service