Rule ID
SV-279567r1192427_rule
Version
V1R1
CCIs
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
Verify there are lines in the "/etc/rsyslog.d/rsyslog-nutanix.conf" files that contain the "@" or "@@" symbol(s) and also lines with the correct symbol(s) to send output a remote log. $ sudo grep @ /etc/rsyslog.d/rsyslog-nutanix.conf local0.*; @remote-log-host:514 If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.
1. Configure the OS to off-load audit records to a site-specific syslog server by running the following command. ncli rsyslog-config add-server name=[alias_of_central_host] ip-address=[IP_of_central_host] port=[port_of_central_host] network-protocol=tcp|udp|relp relp-enabled=yes|no; ncli rsyslog-config add-module module-name=syslog_module level=info server-name=[alias_of_central_host] 2. Configure the remote syslog server to perform the following: - Notify designated personnel if baseline configurations are changed in an unauthorized manner. - Notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. - Notify designated personnel if baseline configurations are changed in an unauthorized manner. - Notify system administrators and ISSOs when accounts are created. - Notify system administrators and ISSOs when accounts are modified. - Notify system administrators and ISSOs when accounts are removed. - Notify system administrators and ISSOs when accounts are disabled. - Notify SAs and ISSOs of account enabling actions.