Amazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274080 | AZLX-23-002080 | SV-274080r1120228_rule | CCI-001851 | low |
| Description | ||||
| The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | ||||
| STIG | Date | |||
| Amazon Linux 2023 Security Technical Implementation Guide | 2026-02-27 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-4(1)
1.00
- DISA · V1R3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001851
1.00
- DISA · V1R3 · disa_xccdf · related
Details
Check Text (C-274080r1120228_chk)
Verify Amazon Linux 2023 off-loads audit records onto a different system with the following command:
$ more /etc/systemd/journal-upload.conf
[Upload]
URL=192.168.21.2
ServerKeyFile=/etc/ssl/private/journal-upload.pem
ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
TrustedCertificateFile=/etc/ssl/ca/trusted.pem
If all of the entries do not have values, are commented out, or are missing, this is a finding.
Fix Text (F-78076r1120227_fix)
Configure Amazon Linux 2023 to off-load audit records onto a different system or media from the system being audited.
If using systemd-journal-upload:
Edit "/etc/systemd/journal-upload.conf" with the appropriate configuration:
[Upload]
URL=https://[server.domain]:[port]