STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide

V-260592

CAT III (Low)

Ubuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.

Rule ID

SV-260592r1101709_rule

STIG

Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-001851

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Check Content

Verify the audit event multiplexor is configured to offload audit records to a different system from the system being audited.  
  
Check if the "audispd-plugins" package is installed:  
  
     $ dpkg -l | grep audispd-plugins 
     ii     audispd-plugins     1:3.0.7-1build1     amd64     Plugins for the audit event dispatcher 
  
If the "audispd-plugins" package is not installed, this is a finding.  
  
Check that the records are being offloaded to a remote server by using the following command:  
  
     $ sudo grep -i active /etc/audit/plugins.d/au-remote.conf 
     active = yes  
  
If "active" is not set to "yes", or the line is commented out, or is missing, this is a finding.  
  
Check that audisp-remote plugin is configured to send audit logs to a different system:  
  
     $ sudo grep -i remote_server /etc/audit/audisp-remote.conf 
     remote_server = 240.9.19.81 
  
If the "remote_server" parameter is not set, is set with a local IP address, or is set with an invalid IP address, this is a finding.

Fix Text

Configure the audit event multiplexor to offload audit records to a different system from the system being audited.  
  
Install the "audispd-plugins" package by using the following command:  
  
     $ sudo apt-get install audispd-plugins 
  
Set the audisp-remote plugin as active by editing the "/etc/audit/plugins.d/au-remote.conf" file:  
  
     $ sudo sed -i -E 's/active\s*=\s*no/active = yes/' /etc/audit/plugins.d/au-remote.conf 
  
Set the IP address of the remote system by editing the "/etc/audit/audisp-remote.conf" file:  
  
     $ sudo sed -i -E 's/(remote_server\s*=).*/\1 <remote_server_ip_address>/' /etc/audit/audisp-remote.conf 
  
Restart the "auditd.service" for the changes to take effect:  
  
     $ sudo systemctl restart auditd.service