UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-238306 UBTU-20-010216 SV-238306r654093_rule Low
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
STIG Date
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide 2021-11-19

Details

Check Text ( C-41516r654091_chk )
Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

$ sudo dpkg -s audispd-plugins

If status is "not installed", this is a finding.

Check that the records are being offloaded to a remote server with the following command:

$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

$ sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf

remote_server = 192.168.122.126

If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding.
Fix Text (F-41475r654092_fix)
Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

$ sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active by editing the "/etc/audisp/plugins.d/au-remote.conf" file:

$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine by editing the "/etc/audisp/audisp-remote.conf" file:

$ sudo sed -i -E 's/(remote_server\s*=).*/\1 /' /etc/audisp/audisp-remote.conf

where must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

$ sudo systemctl restart auditd.service