The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-238306r958754_rule
Severity: Low
References: CCI-001851
Updated: 17 days ago

Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited. 
 
Install the audisp-remote plugin: 
 
$ sudo apt-get install audispd-plugins -y 
 Set the audisp-remote plugin as active by editing the "/etc/audisp/plugins.d/au-remote.conf" file: 
 
$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf 
 
Set the address of the remote machine by editing the "/etc/audisp/audisp-remote.conf" file: 
 
$ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' /etc/audisp/audisp-remote.conf 
 
where <remote addr> must be substituted by the address of the remote server receiving the audit log. 
 
Make the audit service reload its configuration files: 
 
$ sudo systemctl restart auditd.service

The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.

Description

Remediation - Manual Procedure