The system's access control program must log each system’s access attempt.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-941	GEN006600	SV-35206r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2013-03-28

Details

Check Text ( C-35049r1_chk )
Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd. # find /etc -type f -name syslog.conf # cat /syslog.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \|grep -v "^#" \| egrep "mail.debug\|mail.info\|mail.\" Look for entries similar to the following: mail.debug /var/adm/maillog mail.* /var/log/maillog mail.info /var/log/maillog The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not logging and this is a finding.

Check Text ( C-35049r1_chk )

Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd.
# find /etc -type f -name syslog.conf
# cat /syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' |grep -v "^#" | egrep "mail.debug|mail.info|mail.\*"

Look for entries similar to the following:
mail.debug /var/adm/maillog
mail.* /var/log/maillog
mail.info /var/log/maillog

The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not logging and this is a finding.

Fix Text (F-32112r1_fix)
Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed so logging of system access attempts is logged into the system log files. If an alternate application is used, it must support this function.