STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.

DISA Rule

SV-238306r654093_rule

Vulnerability Number

V-238306

Group Title

SRG-OS-000342-GPOS-00133

Rule Version

UBTU-20-010216

Severity

CAT III

CCI(s)

• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited.

Install the audisp-remote plugin:

$ sudo apt-get install audispd-plugins -y

Set the audisp-remote plugin as active by editing the "/etc/audisp/plugins.d/au-remote.conf" file:

$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf

Set the address of the remote machine by editing the "/etc/audisp/audisp-remote.conf" file:

$ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' /etc/audisp/audisp-remote.conf

where <remote addr> must be substituted by the address of the remote server receiving the audit log.

Make the audit service reload its configuration files:

$ sudo systemctl restart auditd.service

Check Contents

Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

$ sudo dpkg -s audispd-plugins

If status is "not installed", this is a finding.

Check that the records are being offloaded to a remote server with the following command:

$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

$ sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf

remote_server = 192.168.122.126

If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding.

Vulnerability Number

V-238306

Documentable

False

Rule Version

UBTU-20-010216

Severity Override Guidance

Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited.

Check that audisp-remote plugin is installed:

$ sudo dpkg -s audispd-plugins

If status is "not installed", this is a finding.

Check that the records are being offloaded to a remote server with the following command:

$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf

active = yes

If "active" is not set to "yes", or the line is commented out, this is a finding.

Check that audisp-remote plugin is configured to send audit logs to a different system:

$ sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf

remote_server = 192.168.122.126

If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding.

Check Content Reference

M

Target Key

5318

Comments