The audit-audispd-plugins package must be installed on SLEM 5.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-261412 | SLEM-05-653020 | SV-261412r996649_rule | CCI-001851 | medium |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server. | ||||
| STIG | Date | |||
| SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide | 2025-05-08 | |||
Details
Check Text (C-261412r996649_chk)
Verify that the "audit-audispd-plugins" package is installed on SLEM 5 with the following command:
> zypper info audit-audispd-plugins | grep Installed
Installed : Yes
If the "audit-audispd-plugins" package is not installed, this is a finding.
Verify the "au-remote" plugin is enabled with the following command:
> sudo grep -i active /etc/audisp/plugins.d/au-remote.conf
active = yes
If "active" is not set to "yes", is commented out, or is missing, this is a finding.
Fix Text (F-65049r996648_fix)
Install the "audit-audispd-plugins" package on SLEM 5 by running the following command:
> sudo transactional-update pkg install audit-audispd-plugins
Add or modify the following line in the "/etc/audisp/plugins.d/au-remote.conf" file:
active = yes
Reboot the system:
> sudo reboot