Title

The audit system must take appropriate action when the network cannot be used to off-load audit records. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check Content

Verify that the audit system takes appropriate action if the network cannot be used to off-load audit records. Check what action will take place if the network connection fails with the following command: # sudo grep -iw "network_failure" /etc/audisp/audisp-remote.conf network_failure_action = stop If the value of the “network_failure_action” option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text

Configure the Ubuntu operating system to take appropriate action when the network cannot be used to off-load audit records. Add, edit or uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example: network_failure_action = single

Additional Identifiers

Rule ID: SV-90539r2_rule

Vulnerability ID: V-75859

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.