Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260592	UBTU-22-653020	SV-260592r958754_rule		Low

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

STIG	Date
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-64321r953587_chk )
Verify the audit event multiplexor is configured to offload audit records to a different system from the system being audited. Check if the "audispd-plugins" package is installed: $ dpkg -l \| grep audispd-plugins ii audispd-plugins 1:3.0.7-1build1 amd64 Plugins for the audit event dispatcher If the "audispd-plugins" package is not installed, this is a finding. Check that the records are being offloaded to a remote server by using the following command: $ sudo grep -i active /etc/audit/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding. Check that audisp-remote plugin is configured to send audit logs to a different system: $ sudo grep -i remote_server /etc/audit/audisp-remote.conf remote_server = 240.9.19.81 If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.

Check Text ( C-64321r953587_chk )

Verify the audit event multiplexor is configured to offload audit records to a different system from the system being audited.

Check if the "audispd-plugins" package is installed:

$ dpkg -l | grep audispd-plugins
ii audispd-plugins 1:3.0.7-1build1 amd64 Plugins for the audit event dispatcher

If the "audispd-plugins" package is not installed, this is a finding.

Check that the records are being offloaded to a remote server by using the following command:

$ sudo grep -i active /etc/audit/plugins.d/au-remote.conf
active = yes

If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf
remote_server = 240.9.19.81

If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.

Fix Text (F-64229r953588_fix)
Configure the audit event multiplexor to offload audit records to a different system from the system being audited. Install the "audisp-plugins" package by using the following command: $ sudo apt-get install audispd-plugins Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file: $ sudo sed -i -E 's/active\s=\sno/active = yes/' /etc/audit/plugins.d/au-remote.conf Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file: $ sudo sed -i -E 's/(remote_server\s=)./\1 /' /etc/audit/audisp-remote.conf Restart the "auditd.service" for the changes to take effect: $ sudo systemctl restart auditd.service

Fix Text (F-64229r953588_fix)

Configure the audit event multiplexor to offload audit records to a different system from the system being audited.

Install the "audisp-plugins" package by using the following command:

$ sudo apt-get install audispd-plugins

Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file:

$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf

Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file:

$ sudo sed -i -E 's/(remote_server\s*=).*/\1 /' /etc/audit/audisp-remote.conf

Restart the "auditd.service" for the changes to take effect:

$ sudo systemctl restart auditd.service