STIGQter: STIG Summary: CA API Gateway NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Sep 2016:

The CA API Gateway must off-load audit records onto a different system or media than the system being audited.

DISA Rule

SV-86193r1_rule

Vulnerability Number

V-71569

Group Title

SRG-APP-000515-NDM-000325

Rule Version

CAGW-DM-000350

Severity

CAT III

CCI(s)

• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Setup steps:

Configure rsyslogd to monitor "/var/log/auditd/auditd.log" file for updates by adding stanza:

# auditd audit.log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

to the "/etc/rsyslogd.conf" file.

Note: This creates audit log entries for facility "local6" and priority "info." This can be changed to suite.

Configure "rsyslogd" to forward this combination (local6.info) to the appropriate loghost by adding logging rule to the rule section of the "rsyslogd.conf" file:

local6.* @@loghost.ca.com

Note that the syntax "@@loghost.ca.com" means that the records are forwarded via TCP.

A single "@" before the remote loghost would mean the records are forwarded via UDP.

Check Contents

Verify by confirming the following lines are part of "rsyslogd.conf":

# auditd audit.log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

Further verify that this line is also part of the rsyslogd.conf file:
local6.* @@loghost.ca.com

If "rsyslogd.conf" does not contain the above lines, this is a finding.

Vulnerability Number

V-71569

Documentable

False

Rule Version

CAGW-DM-000350

Severity Override Guidance

Verify by confirming the following lines are part of "rsyslogd.conf":

# auditd audit.log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

Further verify that this line is also part of the rsyslogd.conf file:
local6.* @@loghost.ca.com

If "rsyslogd.conf" does not contain the above lines, this is a finding.

Check Content Reference

M

Target Key

3051

Comments