Ensure the audispd's remote logging daemon executable is correct

An XCCDF Rule

Description

Ensure the executable used by audisp-remote plug-in of the audispd audit event multiplexor is correct. Check that the path directive in /etc/audisp/plugins.d/au-remote.conf is /sbin/audisp-remote. Restart the auditd service to apply configuration changes:

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to a remote server.

ID: xccdf_org.ssgproject.content_rule_auditd_audispd_remote_daemon_path
Severity: Medium
References: CCI-001851

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224

OL07-00-030201

SV-221767r877390_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL07-00-030201
  - auditd_audispd_remote_daemon_path  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure the audispd's remote logging daemon executable is correct
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*path\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/audisp/plugins.d/au-remote.conf
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*path\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/audisp/plugins.d/au-remote.conf
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*path\s*=\s*
      line: path = /sbin/audisp-remote
      state: present
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL07-00-030201
  - auditd_audispd_remote_daemon_path
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if [ -e "/etc/audisp/plugins.d/au-remote.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*path\s*=\s*/Id" "/etc/audisp/plugins.d/au-remote.conf"else
    touch "/etc/audisp/plugins.d/au-remote.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/audisp/plugins.d/au-remote.conf"

cp "/etc/audisp/plugins.d/au-remote.conf" "/etc/audisp/plugins.d/au-remote.conf.bak"
# Insert at the end of the file
printf '%s\n' "path = /sbin/audisp-remote" >> "/etc/audisp/plugins.d/au-remote.conf"
# Clean up after ourselves.
rm "/etc/audisp/plugins.d/au-remote.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure the audispd's remote logging daemon executable is correct

Description

Rationale

Remediation - Ansible

Remediation - Shell Script