Check: AZLX-23-002025
Amazon Linux 2023 STIG:
AZLX-23-002025
(in version v1 r1)
Title
Amazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server. (Cat II impact)
Discussion
Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.
Check Content
Verify Amazon Linux 2023 is configured so that the Audit Daemon labels all off-loaded audit logs with the following command: $ sudo grep name_format /etc/audit/auditd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.
Fix Text
Configure Amazon Linux 2023 to be configured so that the Audit Daemon labels all off-loaded audit logs. Edit the /etc/audit/auditd.conf file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect.
Additional Identifiers
Rule ID: SV-274069r1120195_rule
Vulnerability ID: V-274069
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |