Details

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Solution

Configure the audit event multiplexor to off-load audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

# sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active, by editing the /etc/audisp/plugins.d/au-remote.conf file:

# sudo sed -i -E ‘s/actives*=s*no/active = yes/’ /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine, by editing the /etc/audisp/audisp-remote.conf file:

# sudo sed -i -E ‘s/(remote_servers*=).*/1 /’ audisp-remote.conf

where must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

# sudo systemctl restart auditd.service

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_LTS_V2R4_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

• 800-53|AU-4(1)
• CAT|III
• CCI|CCI-001851
• Rule-ID|SV-219153r610963_rule
• STIG-ID|UBTU-18-010007
• STIG-Legacy|SV-109635
• STIG-Legacy|V-100531
• Vuln-ID|V-219153

Source

• Tenable.com/audits