The CA API Gateway must off-load audit records onto a different system or media than the system being audited.

An XCCDF Rule

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

ID: SV-86193r1_rule
Version: CAGW-DM-000350
Severity: Low
References: CCI-001851
Updated: 15 days ago

Remediation Templates

Setup steps:

Configure rsyslogd to monitor "/var/log/auditd/auditd.log" file for updates by adding stanza:

# auditd audit.log
$ModLoad imfile$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

to the "/etc/rsyslogd.conf" file. 

Note: This creates audit log entries for facility "local6" and priority "info." This can be changed to suite.

Configure "rsyslogd" to forward this combination (local6.info) to the appropriate loghost by adding logging rule to the rule section of the "rsyslogd.conf" file:

local6.* @@loghost.ca.com

Note that the syntax "@@loghost.ca.com" means that the records are forwarded via TCP.

A single "@" before the remote loghost would mean the records are forwarded via UDP.

The CA API Gateway must off-load audit records onto a different system or media than the system being audited.

Description

Remediation Templates

A Manual Procedure