4.1.1.4 Ensure audit logs are stored on a different system.

Information

The operating system must off-load audit records onto a different system or media from the system being audited.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Solution

Configure the operating system to off-load audit records onto a different system or media from the system being audited.
Set the remote server option in /etc/audisp/audisp-remote.conf with the IP address of the log aggregation server.
Example: vim /etc/audisp/audisp-remote.conf
Add, uncomment or update the following line:
Note: The ip address listed is just for an example. Replace it with the IP address or the log aggregation server in your environment.

remote_server = 10.0.21.1

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72083

Rule ID: SV-86707r2_rule

STIG ID: RHEL-07-030300

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2)

Plugin: Unix

Control ID: 9e54200e2f952675a1ded922aeb9820b1eed26783ddf342b57ac2a62d499d657