Check: SLES-15-030690
SUSE Linux Enterprise Server 15 STIG:
SLES-15-030690
(in versions v2 r3 through v2 r2)
Title
Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited. (Cat III impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited. Check if "audispd" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command: > sudo grep remote_server /etc/audit/audisp-remote.conf remote_server = 192.168.1.101 If "remote_server" is not set to an external server or media, or is commented out, this is a finding.
Fix Text
Configure the SUSE operating system "/etc/audit/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: remote_server = [IP ADDRESS]
Additional Identifiers
Rule ID: SV-234968r1009570_rule
Vulnerability ID: V-234968
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |