4.7 Enable use of the au-remote plugin

Information

The operating system must be configured to use the au-remote plugin.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Without the configuration of the 'au-remote' plugin, the audisp-remote daemon will not off-load the logs from the system being audited.

Solution

Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of active to yes.
Example: vim /etc/audisp/plugins.d/au-remote.conf
Add this line:

active = yes

The audit daemon must be restarted for changes to take effect:

# service auditd restart

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-81015

Rule ID: SV-95727r1_rule

STIG ID: RHEL-07-030200

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1)

Plugin: Unix

Control ID: 23aec9c0d38b3a7cf00aeecd9cc92fc660f7277f7782d37b13627dfb29ce5bc9