So, I was digging through and found the following:
RHEL-07-030300
The operating system must off-load audit records onto a different system or
media from the system being audited.
and
RHEL-07-030310
The operating system must encrypt the transfer of audit records off-loaded
onto a different system or media from the system being audited.
This poses a real problem since there are pretty much limitless methods to
meet this requirement and, given that actual proof is multi-node, this is
going to be *really* difficult to evaluate properly.
As much as I like auditd, I don't care for the thought of the network
blocking all of my operations, so I've opted to pass it along to syslog. My
syslog is then TLS encrypted to the various shipping points. This obviously
meets the requirement, and I can automatically test that configuration in
my code but I feel like this is yet another place where we're going to have
difficulty with the SSG.
I also noticed that this one hasn't been implemented in the SSG and I'm
guessing that this is why.
What are the plans for things like this moving forward?
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --