Title

The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited. (Cat II impact)

Discussion

Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration. The ability to off-load those files is a common process used while managing information systems.

Check Content

Verify auditing is configured to send events to a central log server by using the following command: $ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") If auditing is configured to send events to a central log server, this is a finding.

Fix Text

Configure "rsyslog.d" service to send NetIM audit logs to central syslog. 1. Add or modify the following line in the "/etc/rsyslog.d" file: $ sudo nano /etc/rsyslog.d/60-netim.conf 2. Add the following text: *.* action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") 3. Restart rsyslog service. $ sudo service rsyslog restart

Additional Identifiers

Rule ID: SV-275482r1147496_rule

Vulnerability ID: V-275482

Group Title: SRG-APP-000515-NDM-000325

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.