Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-258152 | RHEL-09-653015 | SV-258152r997058_rule | Medium |
Description |
---|
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220 |
STIG | Date |
---|---|
Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-06-04 |
Check Text ( C-61893r926441_chk ) |
---|
Verify the audit service is configured to produce audit records with the following command: $ systemctl status auditd.service auditd.service - Security Auditing Service Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Tues 2022-05-24 12:56:56 EST; 4 weeks 0 days ago If the audit service is not "active" and "running", this is a finding. |
Fix Text (F-61817r926442_fix) |
---|
To enable the auditd service run the following command: $ sudo systemctl enable --now auditd |