The audit-audispd-plugins must be installed on the SUSE operating system.

STIG ID: SLES-12-020070  |  SRG: SRG-OS-000342-GPOS-00133 | Severity: medium |  CCI: CCI-001851

Vulnerability Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Check

Verify that the "audit-audispd-plugins" package is installed on the SUSE operating system.

Check that the "audit-audispd-plugins" package is installed on the SUSE operating system with the following command:

# zypper se audit-audispd-plugins

If the "audit-audispd-plugins" package is not installed, this is a finding.

Verify the "au-remote" plugin is enabled with the following command:

# grep -i active /etc/audisp/plugins.d/au-remote.conf
active = yes

If "active" is missing, commented out, or is not set to "yes", this is a finding.

Fix

Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command:

# sudo zypper install audit-audispd-plugins

In /etc/audisp/plugins.d/au-remote.conf, change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.