Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Oracle Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-99273 | OL07-00-030201 | SV-108377r1_rule | Medium |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
| STIG | Date |
|---|---|
| Oracle Linux 7 Security Technical Implementation Guide | 2020-05-29 |
Details
| Check Text ( C-98119r1_chk ) |
|---|
| Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon: # cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#" active = yes direction = out path = /sbin/audisp-remote type = always format = string If the "direction" setting is not set to "out", or the line is commented out, this is a finding. If the "path" setting is not set to "/sbin/audisp-remote", or the line is commented out, this is a finding. If the "type" setting is not set to "always", or the line is commented out, this is a finding. |
| Fix Text (F-104955r1_fix) |
|---|
| Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: direction = out path = /sbin/audisp-remote type = always The audit daemon must be restarted for changes to take effect: # service auditd restart |