The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81021	RHEL-07-030211	SV-95733r1_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

STIG	Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide	2018-11-28

Details

Check Text ( C-80737r1_chk )
Verify the audisp daemon is configured to label all off-loaded audit logs: # grep "name_format" /etc/audisp/audispd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.

Fix Text (F-87855r2_fix)
Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect: # service auditd restart