Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260592r958754_rule
Severity: Low
References: CCI-001851
Updated: 17 days ago

Configure the audit event multiplexor to offload audit records to a different system from the system being audited.  
  
Install the "audisp-plugins" package by using the following command:  
  
     $ sudo apt-get install audispd-plugins 
  Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file:  
  
     $ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf 
  
Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file:  
  
     $ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote_server_ip_address>/' /etc/audit/audisp-remote.conf 
  
Restart the "auditd.service" for the changes to take effect:  
  
     $ sudo systemctl restart auditd.service

Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.

Description

Remediation - Manual Procedure