← Back to SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

V-261412

CAT II (Medium)

The audit-audispd-plugins package must be installed on SLEM 5.

Rule ID

SV-261412r996649_rule

STIG

SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-001851

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.

Check Content

Verify that the "audit-audispd-plugins" package is installed on SLEM 5 with the following command:

     > zypper info audit-audispd-plugins | grep Installed
     Installed    : Yes

If the "audit-audispd-plugins" package is not installed, this is a finding.

Verify the "au-remote" plugin is enabled with the following command: 

     > sudo grep -i active /etc/audisp/plugins.d/au-remote.conf 
     active = yes

If "active" is not set to "yes", is commented out, or is missing, this is a finding.

Fix Text

Install the "audit-audispd-plugins" package on SLEM 5 by running the following command:

     > sudo transactional-update pkg install audit-audispd-plugins

Add or modify the following line in the "/etc/audisp/plugins.d/au-remote.conf" file:

active = yes

Reboot the system:

     > sudo reboot