{"description": "To configure the <tt>auditd</tt> service to use the\n<tt>audisp-remote</tt> plug-in of the <tt>audispd</tt> audit event multiplexor, set\nthe <tt>active</tt> directive in <tt>/etc/audit/plugins.d/au-remote.conf</tt>\nto <tt>yes</tt>.\nRestart the <tt>auditd</tt> service to apply configuration changes:\n<pre>$ sudo service auditd restart</pre>", "rationale": "The auditd service does not include the ability to send audit\nrecords to a centralized server for management directly. It does, however,\ninclude a plug-in for audit event multiplexor (audispd) to pass audit records\nto a remote server.", "severity": "medium", "references": {"srg": ["SRG-OS-000479-GPOS-00224", "SRG-OS-000342-GPOS-00133"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is not activated", "ocil": "To verify if audispd's au-remote plugin is active, run the following command:\n<pre>$ sudo grep active /etc/audit/plugins.d/au-remote.conf</pre>\nIf the plugin is active, the output will show <tt>yes</tt>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd to use audispd's remote logging daemon", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_remote_daemon_activated/rule.yml", "template": {"name": "key_value_pair_in_file", "vars": {"app": "audispd", "key": "active", "value": "yes", "path": "/etc/audit/plugins.d/au-remote.conf"}, "backends": {}}}