An error occurred:

Check: UBTU-18-010007

Canonical Ubuntu 18.04 LTS STIG: UBTU-18-010007 (in versions v2 r14 through v2 r9)

Title

The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected. (Cat III impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check Content

Verify the audit event multiplexor is configured to off-load audit records to a different system or storage media from the system being audited. Check that audisp-remote plugin is installed: # sudo dpkg -s audispd-plugins If status is "not installed", this is a finding. Check that the records are being off-loaded to a remote server with the following command: # sudo grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, this is a finding. Check that audisp-remote plugin is configured to send audit logs to a different system: # sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf remote_server = 192.168.122.126 If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding.

Fix Text

Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited. Install the audisp-remote plugin: # sudo apt-get install audispd-plugins -y Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file: # sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file: # sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' audisp-remote.conf where <remote addr> must be substituted by the address of the remote server receiving the audit log. Make the audit service reload its configuration files: # sudo systemctl restart auditd.service

Additional Identifiers

Rule ID: SV-219153r853361_rule

Vulnerability ID: V-219153

Group Title: SRG-OS-000479-GPOS-00224

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001851

The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4 (1)

Transfer To Alternate Storage