Information
The operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.
Rationale:
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
Without the configuration of the 'au-remote' plugin, the audisp-remote daemon will not off load the logs from the system being audited.
Solution
Edit the /etc/audisp/plugins.d/au-remote.conf file and add, uncomment or update the following values:
Example: vim /etc/audisp/plugins.d/au-remote.conf
Add uncomment or update the following lines:
direction = out
path = /sbin/audisp-remote
type = always
The audit daemon must be restarted for changes to take effect:
# service auditd restart
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-81017
Rule ID: SV-95729r1_rule
STIG ID: RHEL-07-030201
Severity: CAT II