RHEL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.

STIG ID: RHEL-09-652035  |  SRG: SRG-OS-000342-GPOS-00133 |  Severity: medium |  CCI: CCI-001851 |  Vulnerability Id: V-258145 | 

Vulnerability Discussion

The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.

Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Check

Verify RHEL 9 is configured use the audisp-remote syslog service with the following command:

$ sudo grep active /etc/audit/plugins.d/syslog.conf

active = yes

If the "active" keyword does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.

Fix

Edit the /etc/audit/plugins.d/syslog.conf file and add or update the "active" option:

active = yes

The audit daemon must be restarted for changes to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.