Encrypt Audit Records Sent With audispd Plugin

An XCCDF Rule

Description

Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Set the transport option in

/etc/audit/audisp-remote.conf

to KRB5.

Rationale

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

ID: xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
Severity: Medium
References: CCI-001851

AU-9(3) CM-6(a)

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q audit && rpm --quiet -q kernel; then
AUDISP_REMOTE_CONFIG="/etc/audit/audisp-remote.conf"

option="^transport"
value="KRB5"

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$option")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "$option\\>" "$AUDISP_REMOTE_CONFIG"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/$option\\>.*/$escaped_formatted_output/gi" "$AUDISP_REMOTE_CONFIG"
else
    if [[ -s "$AUDISP_REMOTE_CONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_REMOTE_CONFIG" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_REMOTE_CONFIG"
    fi
    printf '%s\n' "$formatted_output" >> "$AUDISP_REMOTE_CONFIG"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)  - auditd_audispd_encrypt_sent_records
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: Configure Kerberos 5 Encryption in Audit Event Multiplexor (audispd)
  lineinfile:
    dest: /etc/audit/audisp-remote.conf
    line: enable_krb5 = yes
    regexp: ^\s*enable_krb5\s*=\s*.*$
    state: present
    mode: 416
    create: true
  when:
  - '"audit" in ansible_facts.packages'
  - '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - auditd_audispd_encrypt_sent_records
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Encrypt Audit Records Sent With audispd Plugin

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet