DISA STIGS Viewer

The audit-audispd-plugins package must be installed on SLEM 5.

Overview

Finding ID Version Rule ID IA Controls Severity
V-261412 SLEM-05-653020 SV-261412r996649_rule   Medium
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.
STIG Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide 2025-05-08

Details

Check Text (C-65141r996647_chk)
Verify that the "audit-audispd-plugins" package is installed on SLEM 5 with the following command:

> zypper info audit-audispd-plugins | grep Installed
Installed : Yes

If the "audit-audispd-plugins" package is not installed, this is a finding.

Verify the "au-remote" plugin is enabled with the following command:

> sudo grep -i active /etc/audisp/plugins.d/au-remote.conf
active = yes

If "active" is not set to "yes", is commented out, or is missing, this is a finding.
Fix Text (F-65049r996648_fix)
Install the "audit-audispd-plugins" package on SLEM 5 by running the following command:

> sudo transactional-update pkg install audit-audispd-plugins

Add or modify the following line in the "/etc/audisp/plugins.d/au-remote.conf" file:

active = yes

Reboot the system:

> sudo reboot