The system's access control program must log each system’s access attempt.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-941	GEN006600	SV-35206r2_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-06-12

Details

Check Text ( C-35049r2_chk )
Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd. # find /etc -type f -name syslog.conf # cat /syslog.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \|grep -v “^#” \| egrep “mail.debug\|mail.info\|mail.\” Look for an entry similar to the following, indicating that mail alerts are being logged: mail.* /var/log/maillog If no entries for mail exist, then tcpd is not logging and this is a finding.

Check Text ( C-35049r2_chk )

Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd.
# find /etc -type f -name syslog.conf
# cat /syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' |grep -v “^#” | egrep “mail.debug|mail.info|mail.\*”

Look for an entry similar to the following, indicating that mail alerts are being logged:
mail.* /var/log/maillog

If no entries for mail exist, then tcpd is not logging and this is a finding.

Fix Text (F-32112r1_fix)
Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed so logging of system access attempts is logged into the system log files. If an alternate application is used, it must support this function.