TOSS 5 must be configured to off-load audit records onto a different system from the system being audited via syslog.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-282563 | SRG-OS-000342-GPOS-00133 | TOSS-05-000380 | SV-282563r1200669_rule | 2026-04-01 | 1 |
Description
The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for an audit event multiplexor (audispd) to pass audit records to the local syslog server.
ℹ️ Check
Verify TOSS 5 is configured use the "audisp-remote" syslog service using the following command:
$ sudo grep active /etc/audit/plugins.d/syslog.conf
active = yes
If the "active" keyword does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.
✔️ Fix
Edit the "/etc/audit/plugins.d/syslog.conf" file and add or update the "active" option:
active = yes
Restart the audit daemon for the changes to take effect.