The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-219162	UBTU-18-010025	SV-219162r877390_rule		Low

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

STIG	Date
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide	2023-09-08

Details

Check Text ( C-20887r853366_chk )
Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited. Check that audisp-remote plugin is installed: # sudo dpkg -s audispd-plugins If status is "not installed", verify that another method to off-load audit logs has been implemented. Check that the records are being off-loaded to a remote server with the following command: # sudo grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.

Check Text ( C-20887r853366_chk )

Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

# sudo dpkg -s audispd-plugins

If status is "not installed", verify that another method to off-load audit logs has been implemented.

Check that the records are being off-loaded to a remote server with the following command:

# sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.

If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.

Fix Text (F-20886r304815_fix)
Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited. Install the audisp-remote plugin: # sudo apt-get install audispd-plugins -y Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file: # sudo sed -i -E 's/active\s=\sno/active = yes/' /etc/audisp/plugins.d/au-remote.conf Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file: # sudo sed -i -E 's/(remote_server\s=)./\1 /' audisp-remote.conf where must be substituted by the address of the remote server receiving the audit log. Make the audit service reload its configuration files: # sudo systemctl restart auditd.service

Fix Text (F-20886r304815_fix)

Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

# sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:

# sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:

# sudo sed -i -E 's/(remote_server\s*=).*/\1 /' audisp-remote.conf

where must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

# sudo systemctl restart auditd.service