{"description": "Ensure the executable used by <tt>audisp-remote</tt>\nplug-in of the <tt>audispd</tt> audit event multiplexor is correct.\nCheck that the <tt>path</tt> directive in\n<tt>/etc/audit/plugins.d/au-remote.conf</tt> is <tt>/sbin/audisp-remote</tt>.\nRestart the <tt>auditd</tt> service to apply configuration changes:\n<pre>$ sudo service auditd restart</pre>", "rationale": "The auditd service does not include the ability to send audit\nrecords to a centralized server for management directly. It does, however,\ninclude a plug-in for audit event multiplexor (audispd) to pass audit records\nto a remote server.", "severity": "medium", "references": {"srg": ["SRG-OS-000479-GPOS-00224", "SRG-OS-000342-GPOS-00133"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is not configured", "ocil": "To verify if audispd's au-remote plugin is configured, run the following command:\n<pre>$ sudo grep path /etc/audit/plugins.d/au-remote.conf</pre>\nIf the plugin is configured correctly, the output will show <tt>/sbin/audisp-remote</tt>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure the audispd's remote logging daemon executable is correct", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_path/rule.yml", "template": {"name": "key_value_pair_in_file", "vars": {"app": "audispd", "key": "path", "value": "/sbin/audisp-remote", "path": "/etc/audit/plugins.d/au-remote.conf"}, "backends": {}}}