Check: OL6-00-000509
Oracle Linux 6 STIG:
OL6-00-000509
(in versions v2 r7 through v1 r9)
Title
The system must forward audit records to the syslog service. (Cat III impact)
Discussion
The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.
Check Content
Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the "active" setting is missing or set to "no", this is a finding.
Fix Text
Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process. # service auditd restart
Additional Identifiers
Rule ID: SV-219587r854356_rule
Vulnerability ID: V-219587
Group Title: SRG-OS-000342
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000136 |
The organization centrally manages the content of audit records generated by organization-defined information system components. |
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |