Ubuntu 24.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system or storage media from the system being audited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270658 | UBTU-24-100450 | SV-270658r1067151_rule | Low |
| Description |
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
| STIG | Date |
| Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide | 2025-05-16 |
Details
| Check Text (C-74691r1067149_chk) |
| Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited. Check that audisp-remote plugin is installed: $ dpkg -l | grep audispd-plugins ii audispd-plugins 1:3.1.2-2.1build1.1 amd64 Plugins for the audit event dispatcher If the packet is "not installed", this is a finding. Check that the records are being offloaded to a remote server with the following command: $ sudo grep -i active /etc/audit/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding. Check that audisp-remote plugin is configured to send audit logs to a different system: $ sudo grep -i ^remote_server /etc/audit/audisp-remote.conf remote_server = 192.168.122.126 If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding. |
| Fix Text (F-74592r1067150_fix) |
| Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited. Install the audisp-remote plugin: $ sudo apt install -y audispd-plugins Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file: $ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf Set the address of the remote machine by editing the "/etc/audit/audisp-remote.conf" file: $ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote addr>/' /etc/audit/audisp-remote.conf where <remote addr> must be substituted by the address of the remote server receiving the audit log. Make the audit service reload its configuration files: $ sudo systemctl restart auditd.service |