Check: UBTU-16-020080
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-020080
(in versions v2 r3 through v1 r3)
Title
Off-loading audit records to another system must be authenticated. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Verify the audit system authenticates off-loading audit records to a different system. Check that the off-loading of audit records to a different system is authenticated with the following command: # sudo grep enable /etc/audisp/audisp-remote.conf enable_krb5 = yes If “enable_krb5” option is not set to "yes" or the line is commented out, this is a finding.
Fix Text
Configure the audit system to authenticate off-loading audit records to a different system. Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it to "yes". See the example below. enable_krb5 = yes
Additional Identifiers
Rule ID: SV-215041r610931_rule
Vulnerability ID: V-215041
Group Title: SRG-OS-000479-GPOS-00224
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |