GEN002870 - The system must be configured to send audit records to a remote audit server - NFS

Information

Audit records contain evidence that can be used in the investigation of compromised systems. To prevent this evidence from compromise, it must be sent to a separate system continuously. Methods for sending audit records include, but are not limited to, system audit tools used to send logs directly to another host or through the system's syslog service to another host.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Update the /etc/security/audit_control file to save audit records to a remote NFS mount.

dir:<remote NFS directory>

OR

If the /usr/lib/security/audit_syslog.so* exists, update the /etc/security/audit_control file to send all audit records to syslog and update /etc/syslog.conf to send all audit messages to a remote server.

/etc/security/audit_control:
plugin:name=audit_syslog.so.1; p_flags=all

/etc/syslog.conf:
audit.* @<remote syslog server>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_10_x86_V2R4_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CAT|III, CCI|CCI-001348, Rule-ID|SV-227737r603266_rule, STIG-ID|GEN002870, STIG-Legacy|SV-39881, STIG-Legacy|V-24357, Vuln-ID|V-227737

Plugin: Unix

Control ID: 2e11835ecf47f2cd21bf08ed4f91cfd445154cdaa32f7b288cd710891b40ec11