UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must log informational authentication data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-12004 GEN003660 SV-37404r2_rule Medium
Description
Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to the system.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2017-03-01

Details

Check Text ( C-36086r3_chk )
Depending on what system is used for log processing either /etc/syslog.conf or /etc/rsyslog.conf will be the logging configuration file. Check /etc/syslog.conf or /etc/rsyslog.conf and verify the authpriv facility is logging both the "notice" and "info" priority messages.

Procedure:
For a given action all messages of a higher severity or "priority" are logged. The three lowest priorities in ascending order are "debug", "info" and "notice". A priority of "info" will include "notice". A priority of "debug" includes both "info" and "notice".

Enter/Input for syslog:
# grep "authpriv.debug" /etc/syslog.conf
# grep "authpriv.info" /etc/syslog.conf
# grep "authpriv\.\*" /etc/syslog.conf

Enter/Input for rsyslog:
# grep "authpriv.debug" /etc/rsyslog.conf
# grep "authpriv.info" /etc/rsyslog.conf
# grep "authpriv\.\*" /etc/rsyslog.conf


If an "authpriv.*", "authpriv.debug", or "authpriv.info" entry is not found, this is a finding.
Fix Text (F-31333r2_fix)
Edit /etc/syslog.conf or /etc/rsyslog.conf and add local log destinations for "authpriv.*", "authpriv.debug" or "authpriv.info".