4.1.2.8 Ensure audit logs are stored on a different system.

Information

The operating system must off-load audit records onto a different system or media from the system being audited.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Solution

Configure the operating system to off-load audit records onto a different system or media from the system being audited.
Set the remote server option in /etc/audisp/audisp-remote.conf with the IP address of the log aggregation server.
Example: vim /etc/audisp/audisp-remote.conf
Add, uncomment or update the following line:
Note: The ip address listed is just for an example. Replace it with the IP address or the log aggregation server in your environment.

remote_server = 10.0.21.1

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CCI|CCI-001851, CSCv7|6.2, Rule-ID|SV-204509r603261_rule, STIG-ID|RHEL-07-030300

Plugin: Unix

Control ID: 29a566859c4d6b5d1a618988b3b61bfcb13e16f8f95dfd834ab92d65c01f88ed