Check: UBTU-16-020220
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-020220
(in versions v2 r3 through v1 r3)
Title
The audit records must be off-loaded onto a different system or storage media from the system being audited. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Verify the audit system off-loads audit records to a different system or storage media from the system being audited. Check that the records are being off-loaded to a remote server with the following command: # sudo grep -i remote_server /etc/audisp/audisp-remote.conf remote_server = 10.0.1.2 If "remote_server" is not configured, or the line is commented out, this is a finding.
Fix Text
Configure the audit system to off-load audit records to a different system or storage media from the system being audited. Set the "remote_server" option in "/etc/audisp/audisp-remote.conf" with the IP address of the log server. See the example below. remote_server = 10.0.1.2 In order for the changes to take effect, the audit daemon must be restarted. The audit daemon can be restarted with the following command: # sudo systemctl restart auditd.service
Additional Identifiers
Rule ID: SV-215054r610931_rule
Vulnerability ID: V-215054
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |