Title

Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog. (Cat III impact)

Discussion

The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Check Content

Verify Amazon Linux 2023 off-loads audit records onto a different system with the following command: $ more /etc/systemd/journal-upload.conf [Upload] URL=192.168.21.2 ServerKeyFile=/etc/ssl/private/journal-upload.pem ServerCertificateFile=/etc/ssl/certs/journal-upload.pem TrustedCertificateFile=/etc/ssl/ca/trusted.pem If all of the entries do not have values, are commented out, or are missing, this is a finding.

Fix Text

Configure Amazon Linux 2023 to off-load audit records onto a different system or media from the system being audited. If using systemd-journal-upload: Edit "/etc/systemd/journal-upload.conf" with the appropriate configuration: [Upload] URL=https://[server.domain]:[port]

Additional Identifiers

Rule ID: SV-274080r1120228_rule

Vulnerability ID: V-274080

Group Title: SRG-OS-000342-GPOS-00133

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.