The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-275482 | RIIM-DM-000043 | SV-275482r1147496_rule | CCI-001851 | medium |
| Description | ||||
| Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration. The ability to off-load those files is a common process used while managing information systems. | ||||
| STIG | Date | |||
| Riverbed NetIM NDM Security Technical Implementation Guide | 2025-09-29 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-4(1)
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001851
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-275482r1147496_chk)
Verify auditing is configured to send events to a central log server by using the following command:
$ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
If auditing is configured to send events to a central log server, this is a finding.
Fix Text (F-79489r1147495_fix)
Configure "rsyslog.d" service to send NetIM audit logs to central syslog.
1. Add or modify the following line in the "/etc/rsyslog.d" file:
$ sudo nano /etc/rsyslog.d/60-netim.conf
2. Add the following text:
*.* action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
3. Restart rsyslog service.
$ sudo service rsyslog restart