Vulnerability Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information systems with limited audit storage capacity.
The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.
Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
Check
Verify the audit event multiplexor is configured to offload audit records to a different system from the system being audited.
Check if the "audispd-plugins" package is installed:
$ dpkg -l | grep audispd-plugins
ii audispd-plugins 1:3.0.7-1build1 amd64 Plugins for the audit event dispatcher
If the "audispd-plugins" package is not installed, this is a finding.
Check that the records are being offloaded to a remote server by using the following command:
$ sudo grep -i active /etc/audit/plugins.d/au-remote.conf
active = yes
If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding.
Check that audisp-remote plugin is configured to send audit logs to a different system:
$ sudo grep -i remote_server /etc/audit/audisp-remote.conf
remote_server = 240.9.19.81
If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.
Fix
Configure the audit event multiplexor to offload audit records to a different system from the system being audited.
Install the "audisp-plugins" package by using the following command:
$ sudo apt-get install audispd-plugins
Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file:
$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf
Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file:
$ sudo sed -i -E 's/(remote_server\s*=).*/\1 /' /etc/audit/audisp-remote.conf
Restart the "auditd.service" for the changes to take effect:
$ sudo systemctl restart auditd.service