4.8 Ensure off-load of audit logs - direction

Information

The operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Without the configuration of the 'au-remote' plugin, the audisp-remote daemon will not off load the logs from the system being audited.

Solution

Edit the /etc/audisp/plugins.d/au-remote.conf file and add, uncomment or update the following values:
Example: vim /etc/audisp/plugins.d/au-remote.conf
Add uncomment or update the following lines:

direction = out
path = /sbin/audisp-remote
type = always

The audit daemon must be restarted for changes to take effect:

# service auditd restart

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-81017

Rule ID: SV-95729r1_rule

STIG ID: RHEL-07-030201

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1)

Plugin: Unix

Control ID: 56d8e945700b9b586741175b3c2aa3bc5e6f322406e71e5c874febf51589e5c2