An error occurred:

Check: RHEL-06-000509

Red Hat Enterprise Linux 6 STIG: RHEL-06-000509 (in versions v2 r2 through v1 r14)

Title

The system must forward audit records to the syslog service. (Cat III impact)

Discussion

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.

Check Content

Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the "active" setting is missing or set to "no", this is a finding.

Fix Text

Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process. # service auditd restart

Additional Identifiers

Rule ID: SV-218092r603264_rule

Vulnerability ID: V-218092

Group Title: SRG-OS-000342

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000136

The organization centrally manages the content of audit records generated by organization-defined information system components.
CCI-001844

The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components.
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-3(2)

Centralized Management of Planned Audit Record Content
AU-4(1)

Transfer to Alternate Storage