Configure audispd Plugin To Send Logs To Remote Server

An XCCDF Rule

Description

Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. First, set the active option in

/etc/audisp/plugins.d/au-remote.conf

Set the remote_server option in

/etc/audit/audisp-remote.conf

with an IP address or hostname of the system that the audispd plugin should send audit records to. For example

remote_server =

Rationale

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.

ID: xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
Severity: Medium
References: CCI-001851

FAU_GEN.1.1.c

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

var_audispd_remote_server='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_audispd_remote_server" use="legacy"/>'

AUDITCONFIG=/etc/audit/audisp-remote.conf


AUREMOTECONFIG=/etc/audisp/plugins.d/au-remote.conf

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^active")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "yes"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUREMOTECONFIG"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUREMOTECONFIG"
else
    if [[ -s "$AUREMOTECONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUREMOTECONFIG" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUREMOTECONFIG"
    fi
    printf '%s\n' "$formatted_output" >> "$AUREMOTECONFIG"
fi


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^remote_server")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_audispd_remote_server"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
    if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
    fi
    printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure audispd Plugin To Send Logs To Remote Server

Description

Rationale

Remediation - Shell Script