The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-221769r877390_rule
Severity: Medium
References: CCI-001851
Updated: 9 months ago

Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:

name_format = hostname

The audit daemon must be restarted for changes to take effect:
# service auditd restart

The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.

Description

Remediation - Manual Procedure