Title

The operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records. (Cat II impact)

Discussion

The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. This requires operating systems to provide the capability to customize audit record reports based on all available criteria. Satisfies: SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000353-GPOS-00141

Check Content

Verify the operating system provides the capability to filter audit records for events of interest based upon all audit fields within audit records. If it does not, this is a finding. Ensure "auditreduce" is installed: $ which auditreduce /usr/sbin/auditreduce If the auditreduce utility is not found, this is a finding. If an alternative audit filtering capabiltity is in place this is not a finding.

Fix Text

Configure the operating system to provide the capability to filter audit records for events of interest based upon all audit fields within audit records.

Additional Identifiers

Rule ID:

Vulnerability ID: V-250

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.