The system must log authentication informational data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-12004	GEN003660	SV-35062r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to the system.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-06-12

Details

Check Text ( C-36521r1_chk )
Check /etc/syslog.conf and verify the auth facility is logging both the notice and info (NOTE that auth.info includes auth.notice and the auth.debug includes both auth.info and auth.notice) level messages by: # cat /etc/syslog.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \| grep -v "^#" \| egrep -i "auth.info\|auth.debug\|auth.\\|\.info\|\.debug" If auth.* is not found, or auth.notice or auth.debug or .info and .debug are not found, this is a finding.

Check Text ( C-36521r1_chk )

Check /etc/syslog.conf and verify the auth facility is logging both the notice and info (NOTE that auth.info includes auth.notice and the auth.debug includes both auth.info and auth.notice) level messages by:
# cat /etc/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | egrep -i "auth.info|auth.debug|auth.\*|\*.info|\*.debug"

If auth.* is not found, or auth.notice or auth.debug or *.info and *.debug are not found, this is a finding.

Fix Text (F-31881r1_fix)
Edit /etc/syslog.conf and add local log destinations for auth., auth.debug, auth.info, .debug or *.info. NOTE: In general and though not required, it is always advisable to explicitly declare auth.info or auth.debug entries rather than use the wildcard notation method.