Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.

STIG ID: UBTU-22-653020  |  SRG: SRG-OS-000342-GPOS-00133 |  Severity: low |  CCI: CCI-001851 |  Vulnerability Id: V-260592 | 

Vulnerability Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.

Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Check

Verify the audit event multiplexor is configured to offload audit records to a different system from the system being audited.

Check if the "audispd-plugins" package is installed:

$ dpkg -l | grep audispd-plugins
ii audispd-plugins 1:3.0.7-1build1 amd64 Plugins for the audit event dispatcher

If the "audispd-plugins" package is not installed, this is a finding.

Check that the records are being offloaded to a remote server by using the following command:

$ sudo grep -i active /etc/audit/plugins.d/au-remote.conf
active = yes

If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

$ sudo grep -i remote_server /etc/audit/audisp-remote.conf
remote_server = 240.9.19.81

If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.

Fix

Configure the audit event multiplexor to offload audit records to a different system from the system being audited.

Install the "audisp-plugins" package by using the following command:

$ sudo apt-get install audispd-plugins

Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file:

$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf

Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file:

$ sudo sed -i -E 's/(remote_server\s*=).*/\1 /' /etc/audit/audisp-remote.conf

Restart the "auditd.service" for the changes to take effect:

$ sudo systemctl restart auditd.service