Check: FreeBSD-10-000150
FreeBSD 10:
FreeBSD-10-000150
(in version v1 r1)
Title
The operating system must produce audit records containing information to establish what type of events occurred. (Cat II impact)
Discussion
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000055-GPOS-00026, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000359-GPOS-00146
Check Content
Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To check if auditing is in place: $ grep auditd /etc/rc.conf auditd_enable="YES" If auditd_enable does not equal "YES", this is a finding. $ service auditd status If auditd is not running, this is a finding.
Fix Text
Configure the operating system to produce audit records containing information to establish what type of events occurred.
Additional Identifiers
Rule ID:
Vulnerability ID: V-150
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
| CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
| CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
| CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
| CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000159 |
The information system uses internal system clocks to generate time stamps for audit records. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-001464 |
The information system initiates session audits at system start-up. |
| CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
| CCI-001890 |
The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). |