The system must log informational authentication data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-12004	GEN003660	SV-37404r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to the system.

STIG	Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-36086r2_chk )
Check /etc/syslog.conf and verify the authpriv facility is logging both the "notice" and "info" priority messages. Procedure: For a given action all messages of a higher severity or "priority" are logged. The three lowest priorities in ascending order are "debug", "info" and "notice". A priority of "info" will include "notice". A priority of "debug" includes both "info" and "notice". Enter/Input: # grep "authpriv.debug" /etc/syslog.conf # grep "authpriv.info" /etc/syslog.conf # grep "authpriv\.\" /etc/syslog.conf If an "authpriv.", "authpriv.debug", or "authpriv.info" entry is not found, this is a finding.

Check Text ( C-36086r2_chk )

Check /etc/syslog.conf and verify the authpriv facility is logging both the "notice" and "info" priority messages.

Procedure:
For a given action all messages of a higher severity or "priority" are logged. The three lowest priorities in ascending order are "debug", "info" and "notice". A priority of "info" will include "notice". A priority of "debug" includes both "info" and "notice".

Enter/Input:
# grep "authpriv.debug" /etc/syslog.conf
# grep "authpriv.info" /etc/syslog.conf
# grep "authpriv\.\*" /etc/syslog.conf

If an "authpriv.*", "authpriv.debug", or "authpriv.info" entry is not found, this is a finding.

Fix Text (F-31333r1_fix)
Edit /etc/syslog.conf and add local log destinations for "authpriv.*", "authpriv.debug" or "authpriv.info".