UCF STIG Viewer Logo

The system's access control program must log each system’s access attempt.


Overview

Finding ID Version Rule ID IA Controls Severity
V-941 GEN006600 SV-35206r2_rule ECAR-1 ECAR-2 ECAR-3 Medium
Description
If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected.
STIG Date
HP-UX SMSE Security Technical Implementation Guide 2014-02-28

Details

Check Text ( C-35049r2_chk )
Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd.
# find /etc -type f -name syslog.conf
# cat /syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' |grep -v “^#” | egrep “mail.debug|mail.info|mail.\*”

Look for an entry similar to the following, indicating that mail alerts are being logged:
mail.* /var/log/maillog

If no entries for mail exist, then tcpd is not logging and this is a finding.
Fix Text (F-32112r1_fix)
Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed so logging of system access attempts is logged into the system log files. If an alternate application is used, it must support this function.