Skip to content

Encrypt Audit Records Sent With audispd Plugin

An XCCDF Rule

Description

Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in

/etc/audisp/audisp-remote.conf
, and set it with the following line:
enable_krb5 = yes

Rationale

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

ID
xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL07-00-030310
  - NIST-800-53-AU-9(3)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

AUDISP_REMOTE_CONFIG="/etc/audisp/audisp-remote.conf"

option="^enable_krb5"