The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

An XCCDF Rule

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

ID: SV-221767r958754_rule
Version: OL07-00-030201
Severity: Medium
References: CCI-001851
Updated: 15 days ago

Remediation Templates

Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:

active = yes
direction = out
path = /sbin/audisp-remote
type = always
The audit daemon must be restarted for changes to take effect:

# service auditd restart

The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

Description

Remediation Templates

A Manual Procedure