The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221767	OL07-00-030201	SV-221767r877390_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

STIG	Date
Oracle Linux 7 Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-36288r602458_chk )
Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon: # cat /etc/audisp/plugins.d/au-remote.conf \| grep -v "^#" active = yes direction = out path = /sbin/audisp-remote type = always format = string If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.

Check Text ( C-36288r602458_chk )

Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon:

# cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#"

active = yes
direction = out
path = /sbin/audisp-remote
type = always
format = string

If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.

If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.

Fix Text (F-36252r858453_fix)
Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: active = yes direction = out path = /sbin/audisp-remote type = always The audit daemon must be restarted for changes to take effect: # service auditd restart