Encrypt Audit Records Sent With audispd Plugin
An XCCDF Rule
Description
Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Uncomment the enable_krb5
option in
/etc/audit/audisp-remote.conf, and set it with the following line:
enable_krb5 = yes
Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
- ID
- xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
AUDISP_REMOTE_CONFIG="/etc/audit/audisp-remote.conf"
option="^enable_krb5"