Check: SLES-15-030690
SUSE Linux Enterprise Server 15 STIG:
SLES-15-030690
(in versions v1 r13 through v1 r1)
Title
Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited. (Cat III impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited. Check if "audispd" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command: > sudo grep remote_server /etc/audisp/audisp-remote.conf remote_server = 192.168.1.101 If "remote_server" is not set to an external server or media, or is commented out, this is a finding.
Fix Text
Configure the SUSE operating system "/etc/audisp/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: remote_server = [IP ADDRESS]
Additional Identifiers
Rule ID: SV-234968r877390_rule
Vulnerability ID: V-234968
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
| Number | Title |
|---|---|
| AU-4 (1) |
Transfer To Alternate Storage |