The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-275482 | RIIM-DM-000043 | SV-275482r1147496_rule | CCI-001851 | medium |
| Description | ||||
| Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration. The ability to off-load those files is a common process used while managing information systems. | ||||
| STIG | Date | |||
| Riverbed NetIM NDM Security Technical Implementation Guide | 2025-09-29 | |||
Details
Check Text (C-275482r1147496_chk)
Verify auditing is configured to send events to a central log server by using the following command:
$ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
If auditing is configured to send events to a central log server, this is a finding.
Fix Text (F-79489r1147495_fix)
Configure "rsyslog.d" service to send NetIM audit logs to central syslog.
1. Add or modify the following line in the "/etc/rsyslog.d" file:
$ sudo nano /etc/rsyslog.d/60-netim.conf
2. Add the following text:
*.* action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
3. Restart rsyslog service.
$ sudo service rsyslog restart