Ensure the audispd's remote logging daemon type is correct

An XCCDF Rule

Description

Ensure the type used by audisp-remote plug-in of the audispd audit event multiplexor is correct. Check that the type directive in /etc/audisp/plugins.d/au-remote.conf is always. Restart the auditd service to apply configuration changes:

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to a remote server.

ID: xccdf_org.ssgproject.content_rule_auditd_audispd_remote_daemon_type
Severity: Medium
References: CCI-001851

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224

RHEL-07-030201

SV-204506r877390_rule

CCE-90159-5
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90159-5
  - DISA-STIG-RHEL-07-030201  - auditd_audispd_remote_daemon_type
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure the audispd's remote logging daemon type is correct
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*type\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/audisp/plugins.d/au-remote.conf
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*type\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/audisp/plugins.d/au-remote.conf
    lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      create: true
      regexp: ^\s*type\s*=\s*
      line: type = always
      state: present
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90159-5
  - DISA-STIG-RHEL-07-030201
  - auditd_audispd_remote_daemon_type
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if [ -e "/etc/audisp/plugins.d/au-remote.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*type\s*=\s*/Id" "/etc/audisp/plugins.d/au-remote.conf"else
    touch "/etc/audisp/plugins.d/au-remote.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/audisp/plugins.d/au-remote.conf"

cp "/etc/audisp/plugins.d/au-remote.conf" "/etc/audisp/plugins.d/au-remote.conf.bak"
# Insert at the end of the file
printf '%s\n' "type = always" >> "/etc/audisp/plugins.d/au-remote.conf"
# Clean up after ourselves.
rm "/etc/audisp/plugins.d/au-remote.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure the audispd's remote logging daemon type is correct

Description

Rationale

Remediation - Ansible

Remediation - Shell Script