Audit records must be stored at a secondary location.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-233169	SRG-APP-000358-CTR-000805	SV-233169r601784_rule		Medium

Description
Auditable events are used in the investigation of incidents and must be protected from being deleted or altered. Often, events that took place in the past must be viewed to understand the entire incident. For the purposes of audit event protection and recall, audit events are often off-loaded to an external storage location. The container platform must provide a mechanism to assist in the off-loading of the audit data or at a minimum, must not hinder an external process used for audit event off-loading.

Description

Auditable events are used in the investigation of incidents and must be protected from being deleted or altered. Often, events that took place in the past must be viewed to understand the entire incident. For the purposes of audit event protection and recall, audit events are often off-loaded to an external storage location. The container platform must provide a mechanism to assist in the off-loading of the audit data or at a minimum, must not hinder an external process used for audit event off-loading.

STIG	Date
Container Platform Security Requirements Guide	2021-12-14

Details

Check Text ( C-36105r601783_chk )
Verify the log records are being off-loaded to a separate system or transferred from the container platform storage location to a storage location other than the container platform itself. The information system may demonstrate this capability using a log management application, system configuration, or other means. If logs are not being off-loaded, this is a finding.

Fix Text (F-36073r600995_fix)
Configure the container platform to off-load the logs to a remote log or management server.