Configure auditd to use audispd's remote logging daemon

An XCCDF Rule

Description

To configure the auditd service to use the audisp-remote plug-in of the audispd audit event multiplexor, set the active directive in /etc/audisp/plugins.d/au-remote.conf to yes. Restart the auditd service to apply configuration changes:

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to a remote server.

ID: xccdf_org.ssgproject.content_rule_auditd_audispd_remote_daemon_activated
Severity: Medium
References: CCI-001851

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224

SV-204506r877390_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if [ -e "/etc/audisp/plugins.d/au-remote.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*active\s*=\s*/Id" "/etc/audisp/plugins.d/au-remote.conf"else
    touch "/etc/audisp/plugins.d/au-remote.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/audisp/plugins.d/au-remote.conf"

cp "/etc/audisp/plugins.d/au-remote.conf" "/etc/audisp/plugins.d/au-remote.conf.bak"
# Insert at the end of the file
printf '%s\n' "active = yes" >> "/etc/audisp/plugins.d/au-remote.conf"
# Clean up after ourselves.
rm "/etc/audisp/plugins.d/au-remote.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-07-030201
  - auditd_audispd_remote_daemon_activated  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure auditd to use audispd's remote logging daemon
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*active\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/audisp/plugins.d/au-remote.conf
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*active\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/audisp/plugins.d/au-remote.conf
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*active\s*=\s*
      line: active = yes
      state: present
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-RHEL-07-030201
  - auditd_audispd_remote_daemon_activated
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Configure auditd to use audispd's remote logging daemon

Description

Rationale

Remediation - Shell Script

Remediation - Ansible