The system must log successful and unsuccessful access to the root account.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-11980	GEN001060	SV-44916r1_rule		Medium

Description
If successful and unsuccessful logins and logouts are not monitored or recorded, access attempts cannot be tracked. Without this logging, it may be impossible to track unauthorized access to the system.

STIG	Date
SUSE Linux Enterprise Server v11 for System z	2016-12-20

Details

Check Text ( C-42357r1_chk )
Check the log files to determine if access to the root account is being logged. Procedure: Examine /etc/rsyslog.conf to confirm the location to which "auth" messages will be directed. The default rsyslog.conf uses /var/log/messages but, this needs to be confirmed. # grep @@ /etc/rsyslog.d/remote.conf If a line starting with "." is returned then all rsyslog messages will be sent to system whose address appears after the "@@". In this case rsyslog may or may not be configured to also log "auth" messages locally. # grep auth /etc/rsyslog.conf If any lines are returned which do not start with "#" the "auth" messages will be sent to the indicated files or remote systems. Try to "su -" and enter an incorrect password. #more /var/log/messages Or #more /var/log/secure If there are no records indicating the authentication failure, this is a finding.

Check Text ( C-42357r1_chk )

Check the log files to determine if access to the root account is being logged.

Procedure:
Examine /etc/rsyslog.conf to confirm the location to which "auth" messages will be directed. The default rsyslog.conf uses /var/log/messages but, this needs to be confirmed.

# grep @@ /etc/rsyslog.d/remote.conf
If a line starting with "*.*" is returned then all rsyslog messages will be sent to system whose address appears after the "@@". In this case rsyslog may or may not be configured to also log "auth" messages locally.

# grep auth /etc/rsyslog.conf
If any lines are returned which do not start with "#" the "auth" messages will be sent to the indicated files or remote systems.

Try to "su -" and enter an incorrect password.
#more /var/log/messages
Or
#more /var/log/secure

If there are no records indicating the authentication failure, this is a finding.

Fix Text (F-38348r1_fix)
Troubleshoot the system logging configuration to provide for logging of root account login attempts. Procedure: Edit /etc/rsyslog.conf to make sure "auth.*" messages are directed to a file or remote system. Examine /etc/audit/audit.rules to ensure user authentication messages have not been specifically excluded. There remove any entries that correspond to: -a exclude,never -Fmsgtype=USER_START -a exclude,never -Fmsgtype=USER_LOGIN -a exclude,never -Fmsgtype=USER_AUTH -a exclude,never -Fmsgtype=USER_END -a exclude,never -Fmsgtype=USER_ACCT NOTE: The rsyslogd process is protected by an AppArmor profile. If the /var/log/secure file needs to be created, the AppArmor profile will need to be updated for the new log file to be used. The profile is stored in /etc/apparmor.d/sbin.rsyslogd and it can be updated manually or by using the YaST AppArmor profile editor. An entry like ‘/var/log/secure w,’ allows write access. A system restart is recommended after updating an AppArmor profile.

Fix Text (F-38348r1_fix)

Troubleshoot the system logging configuration to provide for logging of root account login attempts.
Procedure:
Edit /etc/rsyslog.conf to make sure "auth.*" messages are directed to a file or remote system.
Examine /etc/audit/audit.rules to ensure user authentication messages have not been specifically excluded.
There remove any entries that correspond to:
-a exclude,never -Fmsgtype=USER_START
-a exclude,never -Fmsgtype=USER_LOGIN
-a exclude,never -Fmsgtype=USER_AUTH
-a exclude,never -Fmsgtype=USER_END
-a exclude,never -Fmsgtype=USER_ACCT

NOTE: The rsyslogd process is protected by an AppArmor profile. If the /var/log/secure file needs to be created, the AppArmor profile will need to be updated for the new log file to be used. The profile is stored in /etc/apparmor.d/sbin.rsyslogd and it can be updated manually or by using the YaST AppArmor profile editor. An entry like ‘/var/log/secure w,’ allows write access. A system restart is recommended after updating an AppArmor profile.