The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.

An XCCDF Rule

Details
Profiles

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. One method of off-loading audit logs in Oracle Linux is with the use of the audisp-remote dameon. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

ID: SV-221769r958754_rule
Version: OL07-00-030211
Severity: Medium
References: CCI-001851
Updated: 13 days ago

Remediation Templates

Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:

name_format = hostname

The audit daemon must be restarted for changes to take effect:

# service auditd restart

The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.

Description

Remediation Templates

A Manual Procedure