Add description for 8.1.1.5

docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd

@@ -234,6 +234,28 @@ Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
 ```
 Kernel log monitoring must also be configured to properly alert designated staff. The audit daemon must be restarted for the changes to take effect.
 
+## 8.1.1.5 Ensure set remote_server for audit service (scored) 
+
+### Profile Applicability
+Level 4
+
+### Description
+The operating system must off-load audit records onto a different system or media from the system being audited.
+
+### Rationale
+Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
+
+### Aduit
+Verify the operating system off-loads audit records onto a different system or media from the system being audited. To determine the remote server that the records are being sent to, use the following command:
+```
+# grep -i remote_server /etc/audisp/audisp-remote.conf
+remote_server = 10.0.21.1 
+```
+If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.
+
+### Remediation (Need manual fix)
+Configure the operating system to off-load audit records onto a different system or media from the system being audited. Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.
+
 ## 8.1.19 Recored ssh-keysign command usage (scored) 
 
 ### Profile Applicability