The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-238306 | UBTU-20-010216 | SV-238306r958754_rule | CCI-001851 | low |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 | ||||
| STIG | Date | |||
| Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide | 2025-05-16 | |||
Details
Check Text (C-238306r958754_chk)
Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited.
Check that audisp-remote plugin is installed:
$ sudo dpkg -s audispd-plugins
If status is "not installed", this is a finding.
Check that the records are being offloaded to a remote server with the following command:
$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf
active = yes
If "active" is not set to "yes", or the line is commented out, this is a finding.
Check that audisp-remote plugin is configured to send audit logs to a different system:
$ sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf
remote_server = 192.168.122.126
If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding.
Fix Text (F-41475r654092_fix)
Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited.
Install the audisp-remote plugin:
$ sudo apt-get install audispd-plugins -y
Set the audisp-remote plugin as active by editing the "/etc/audisp/plugins.d/au-remote.conf" file:
$ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audisp/plugins.d/au-remote.conf
Set the address of the remote machine by editing the "/etc/audisp/audisp-remote.conf" file:
$ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' /etc/audisp/audisp-remote.conf
where <remote addr> must be substituted by the address of the remote server receiving the audit log.
Make the audit service reload its configuration files:
$ sudo systemctl restart auditd.service