UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must be configured to audit modifications to the systems network configuration.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38540 RHEL-06-000182 SV-50341r2_rule Low
Description
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2015-03-06

Details

Check Text ( C-46098r1_chk )
To determine if the system is configured to audit changes to its network configuration, run the following command:

auditctl -l | egrep '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'

If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and "perm=wa" should be indicated for each).
If the system is not configured to audit changes of the network configuration, this is a finding.
Fix Text (F-43488r2_fix)
Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system:

# audit_network_modifications
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications