{"description": "Configure the audispd plugin to off-load audit records onto a different\nsystem or media from the system being audited.\n\nFirst, set the <tt>active</tt> option in\n<pre>/etc/audisp/plugins.d/au-remote.conf</pre>\n\nSet the <tt>remote_server</tt> option in <pre>/etc/audit/audisp-remote.conf</pre>\nwith an IP address or hostname of the system that the audispd plugin should\nsend audit records to. For example\n<pre>remote_server = <i><sub idref=\"var_audispd_remote_server\" /></i></pre>", "rationale": "Information stored in one location is vulnerable to accidental or incidental\ndeletion or alteration.Off-loading is a common process in information systems\nwith limited audit storage capacity.", "severity": "medium", "references": {"srg": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"], "stigid": ["UBTU-22-653020"], "stigref": ["SV-260592r958754_rule"]}, "control_references": {"stigid": ["UBTU-22-653020"]}, "components": [], "identifiers": {}, "ocil_clause": "audispd is not sending logs to a remote system", "ocil": "Check that the records are being offloaded to a remote server with the\nfollowing command:\n<pre>$ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf</pre>\nThe output should return:\n<pre>active = yes</pre>\n\nTo verify the audispd plugin off-loads audit records onto a different system or\nmedia from the system being audited, run the following command:\n<pre>$ sudo grep -i remote_server /etc/audit/audisp-remote.conf</pre>\nThe output should return something similar to\n<pre>remote_server = <i><sub idref=\"var_audispd_remote_server\" /></i></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to off-load audit records to a different system.\n\nAdd or edit the following line in /etc/audit/audisp-remote.conf:\n\nremote_server = <sub idref=\"var_audispd_remote_server\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must off-load audit records onto a different system or media from the system being audited.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Configure audispd Plugin To Send Logs To Remote Server", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml", "template": null}