Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-81021 | RHEL-07-030211 | SV-95733r1_rule | Medium |
Description |
---|
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
STIG | Date |
---|---|
Red Hat Enterprise Linux 7 Security Technical Implementation Guide | 2019-03-08 |
Check Text ( C-80737r1_chk ) |
---|
Verify the audisp daemon is configured to label all off-loaded audit logs: # grep "name_format" /etc/audisp/audispd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding. |
Fix Text (F-87855r2_fix) |
---|
Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect: # service auditd restart |