The system's access control program must log each system access attempt.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-941 | GEN006600 | SV-37757r1_rule | ECAR-1 ECAR-2 ECAR-3 | Medium |
| Description |
|---|
| If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2013-07-03 |
Details
| Check Text ( C-36954r1_chk ) |
|---|
| The tcp_wrappers package is provided with the RHEL distribution. Other access control programs may be available but will need to be checked manually. Normally, tcpd logs to the mail facility in "/etc/syslog.conf". Determine if syslog is configured to log events by tcpd. Procedure: # more /etc/syslog.conf Look for entries similar to the following: mail.debug /var/adm/maillog mail.none /var/adm/maillog mail.* /var/log/mail authpriv.info /var/log/messages The above entries would indicate mail alerts are being logged. If no entries for mail exist, then tcpd is not logging this is a finding. If an alternate access control program is used and it does not provide logging of access attempts, this is a finding. |
| Fix Text (F-32219r1_fix) |
|---|
| Configure the access restriction program to log every access attempt. Ensure the implementation instructions for tcp_wrappers are followed so system access attempts are recorded to the system log files. If an alternate application is used, it must support this function. |