The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-275482 | SRG-APP-000515-NDM-000325 | RIIM-DM-000043 | SV-275482r1147496_rule | 2025-09-29 | 1 |
Description
Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration.
The ability to off-load those files is a common process used while managing information systems.
ℹ️ Check
Verify auditing is configured to send events to a central log server by using the following command:
$ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
If auditing is configured to send events to a central log server, this is a finding.
✔️ Fix
Configure "rsyslog.d" service to send NetIM audit logs to central syslog.
1. Add or modify the following line in the "/etc/rsyslog.d" file:
$ sudo nano /etc/rsyslog.d/60-netim.conf
2. Add the following text:
*.* action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
3. Restart rsyslog service.
$ sudo service rsyslog restart