The system must log successful and unsuccessful access to the root account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-11980	GEN001060	SV-64435r2_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
If successful and unsuccessful logins and logouts are not monitored or recorded, access attempts cannot be tracked. Without this logging, it may be impossible to track unauthorized access to the system.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-52821r2_chk )
Check the log files to determine if access to the root account is being logged. Procedure: Depending on what system is used for log processing either /etc/syslog.conf or /etc/rsyslog.conf will be the logging configuration file. Examine /etc/syslog.conf or /etc/rsyslog.conf to confirm the location to which "authpriv" messages will be directed. The default syslog.conf or rsyslog.conf uses /var/log/messages and /var/log/secure but this needs to be confirmed. # grep @ /etc/syslog.conf Or: # grep @ /etc/rsyslog.conf If a line starting with "." is returned then all syslog messages will be sent to system whose address appears after the "@". In this case syslog may or may not be configured to also log "authpriv" messages locally. # grep authpriv /etc/syslog.conf Or: # grep authpriv /etc/rsyslog.conf If any lines are returned which do not start with "#" the "authpriv" messages will be sent to the indicated files or remote systems. Try to "su -" and enter an incorrect password. If there are no records indicating the authentication failure, this is a finding.

Check Text ( C-52821r2_chk )

Check the log files to determine if access to the root account is being logged.

Procedure:

Depending on what system is used for log processing either /etc/syslog.conf or /etc/rsyslog.conf will be the logging configuration file.

Examine /etc/syslog.conf or /etc/rsyslog.conf to confirm the location to which "authpriv" messages will be directed.

The default syslog.conf or rsyslog.conf uses /var/log/messages and /var/log/secure but this needs to be confirmed.

# grep @ /etc/syslog.conf

Or:

# grep @ /etc/rsyslog.conf

If a line starting with "*.*" is returned then all syslog messages will be sent to system whose address appears after the "@". In this case syslog may or may not be configured to also log "authpriv" messages locally.

# grep authpriv /etc/syslog.conf

Or:

# grep authpriv /etc/rsyslog.conf

If any lines are returned which do not start with "#" the "authpriv" messages will be sent to the indicated files or remote systems.

Try to "su -" and enter an incorrect password.

If there are no records indicating the authentication failure, this is a finding.

Fix Text (F-55003r2_fix)
Troubleshoot the system logging configuration to provide for logging of root account login attempts. Procedure: Edit /etc/syslog.conf or /etc/rsyslog.conf to make sure "authpriv.*" messages are directed to a file or remote system. Examine /etc/audit/audit.rules to ensure user authentication messages have not been specifically excluded. Remove any entries that correspond to: -a exclude,never -Fmsgtype=USER_START -a exclude,never -Fmsgtype=USER_LOGIN -a exclude,never -Fmsgtype=USER_AUTH -a exclude,never -Fmsgtype=USER_END -a exclude,never -Fmsgtype=USER_ACCT

Fix Text (F-55003r2_fix)

Troubleshoot the system logging configuration to provide for logging of root account login attempts.

Procedure:

Edit /etc/syslog.conf or /etc/rsyslog.conf to make sure "authpriv.*" messages are directed to a file or remote system.

Examine /etc/audit/audit.rules to ensure user authentication messages have not been specifically excluded.

Remove any entries that correspond to:

-a exclude,never -Fmsgtype=USER_START
-a exclude,never -Fmsgtype=USER_LOGIN
-a exclude,never -Fmsgtype=USER_AUTH
-a exclude,never -Fmsgtype=USER_END
-a exclude,never -Fmsgtype=USER_ACCT