Encrypt Audit Records Sent With audispd Plugin
An XCCDF Rule
Description
Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Set the transport
option in
/etc/audit/audisp-remote.confto
KRB5
.
Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
- ID
- xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AU-9(3)
- NIST-800-53-CM-6(a)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
AUDISP_REMOTE_CONFIG="/etc/audit/audisp-remote.conf"
option="^transport"