UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

All RHEL 9 remote access methods must be monitored.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258144 RHEL-09-652030 SV-258144r958406_rule Medium
Description
Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.
STIG Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide 2024-06-04

Details

Check Text ( C-61885r926417_chk )
Verify that RHEL 9 monitors all remote access methods.

Check that remote access methods are being logged by running the following command:

$ grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.conf

/etc/rsyslog.conf:authpriv.*

If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.
Fix Text (F-61809r926418_fix)
Add or update the following lines to the "/etc/rsyslog.conf" file:

auth.*;authpriv.*;daemon.* /var/log/secure

The "rsyslog" service must be restarted for the changes to take effect with the following command:

$ sudo systemctl restart rsyslog.service