RHEL-07-030300

The operating system must off-load audit records onto a different system or media from the system being audited.

and

RHEL-07-030310

The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

This poses a real problem since there are pretty much limitless methods to meet this requirement and, given that actual proof is multi-node, this is going to be *really* difficult to evaluate properly.

As much as I like auditd, I don't care for the thought of the network blocking all of my operations, so I've opted to pass it along to syslog. My syslog is then TLS encrypted to the various shipping points. This obviously meets the requirement, and I can automatically test that configuration in my code but I feel like this is yet another place where we're going to have difficulty with the SSG.

I also noticed that this one hasn't been implemented in the SSG and I'm guessing that this is why.

What are the plans for things like this moving forward?

Thanks,

Trevor
--