Configure auditd to use audispd's syslog plugin

An XCCDF Rule

Description

To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audit/plugins.d/syslog.conf to yes. Restart the auditd service:

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.

ID: xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
Severity: Medium
References: 1 11 12 13 14 15 16 19 3 4 5 6 7 8

5.4.1.1

APO11.04 APO12.06 BAI03.05 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01

3.3.1

CCI-000136

164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(ii) 164.308(a)(8) 164.310(d)(2)(iii) 164.312(b) 164.314(a)(2)(i)(C) 164.314(a)(2)(iii)

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7

AU-4(1) CM-6(a)

DE.AE-3 DE.AE-5 PR.PT-1 RS.AN-1 RS.AN-4

FAU_GEN.1.1.c

Req-10.5.3

10.3.3

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224
Updated: about 1 year ago