Check: UBTU-16-030430
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-030430
(in versions v2 r3 through v1 r3)
Title
The audit system must take appropriate action when the network cannot be used to off-load audit records. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Verify that the audit system takes appropriate action if the network cannot be used to off-load audit records. Check what action will take place if the network connection fails with the following command: # sudo grep -iw "network_failure" /etc/audisp/audisp-remote.conf network_failure_action = stop If the value of the “network_failure_action” option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
Fix Text
Configure the Ubuntu operating system to take appropriate action when the network cannot be used to off-load audit records. Add, edit or uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example: network_failure_action = single
Additional Identifiers
Rule ID: SV-215140r610931_rule
Vulnerability ID: V-215140
Group Title: SRG-OS-000479-GPOS-00224
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |