4.10 Ensure off-loaded audit logs are labeled.

Information

The operating system must label all off-loaded audit logs before sending them to the central log server.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.

Solution

Edit the /etc/audisp/audispd.conf file and add or update the name_format option:
Example: vim /etc/audisp/audispd.conf
Add the name format to include hostname, fqd, or numeric.
Example:

name_format = hostname

The audit daemon must be restarted for changes to take effect:

# service auditd restart

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-81021

Rule ID: SV-95733r1_rule

STIG ID: RHEL-07-030211

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1)

Plugin: Unix

Control ID: 9e1b9bd2485df5b102bfd11005be5b3bde55b2a4dec41a2502a74f06326fb64f