Title

Ubuntu OS audit event multiplexor must be configured to off-load audit logs onto a different system from the system being audited. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.

Check Content

Verify the audit event multiplexor is configured to off-load audit records to a different system from the system being audited. Check if the "audispd-plugins" package is installed: $ dpkg -l | grep audispd-plugins ii audispd-plugins 1:3.0.7-1build1 amd64 Plugins for the audit event dispatcher If the "audispd-plugins" package is not installed, this is a finding. Check that the records are being off-loaded to a remote server by using the following command: $ sudo grep -i active /etc/audit/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding. Check that audisp-remote plugin is configured to send audit logs to a different system: $ sudo grep -i remote_server /etc/audit/audisp-remote.conf remote_server = 240.9.19.81 If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.

Fix Text

Configure the audit event multiplexor to off-load audit records to a different system from the system being audited. Install the "audisp-plugins" package by using the following command: $ sudo apt-get install audispd-plugins Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file: $ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file: $ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote_server_ip_address>/' /etc/audit/audisp-remote.conf Restart the "auditd.service" for the changes to take effect: $ sudo systemctl restart auditd.service

Additional Identifiers

Rule ID: SV-275679r1148087_rule

Vulnerability ID: V-275679

Group Title: SRG-OS-000479-GPOS-00224

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.