UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.


Overview

Finding ID Version Rule ID IA Controls Severity
V-219153 UBTU-18-010007 SV-219153r610963_rule Low
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
STIG Date
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide 2021-06-16

Details

Check Text ( C-20878r304787_chk )
Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

# sudo dpkg -s audispd-plugins

If status is "not installed", this is a finding.

Check that the records are being off-loaded to a remote server with the following command:

# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

# sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf

remote_server = 192.168.122.126

If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding.
Fix Text (F-20877r304788_fix)
Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

# sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:

# sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:

# sudo sed -i -E 's/(remote_server\s*=).*/\1 /' audisp-remote.conf

where must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

# sudo systemctl restart auditd.service