4.1.2.13 Ensure off-loaded audit logs are labeled.

Information

The operating system must label all off-loaded audit logs before sending them to the central log server.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.

Solution

Edit the /etc/audisp/audispd.conf file and add or update the name_format option:
Example: vim /etc/audisp/audispd.conf
Add the name format to include hostname, fqd, or numeric.
Example:

name_format = hostname

The audit daemon must be restarted for changes to take effect:

# service auditd restart

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CCI|CCI-001851, CSCv7|6.2, Rule-ID|SV-204508r603261_rule, STIG-ID|RHEL-07-030211

Plugin: Unix

Control ID: e71d0d9e5f71c0ff35d4efae90db0e39fcc6056ca6b716f5e1f285812c707288