OL07-00-030201 - The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

Information

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon. Without the configuration of the 'au-remote' plugin, the audisp-remote daemon will not off load the logs from the system being audited.

Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Solution

Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:

active = yes
direction = out
path = /sbin/audisp-remote
type = always

The audit daemon must be restarted for changes to take effect:

# service auditd restart

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_7_V2R14_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-221767r877390_rule, STIG-ID|OL07-00-030201, STIG-Legacy|SV-108377, STIG-Legacy|V-99273, Vuln-ID|V-221767

Plugin: Unix

Control ID: 16cec8d6b9d6c1ae04a1d883d8e35dbdc0688b9f93d48dc97f8f17817f77acca