Check: GEN006600
HP-UX 11.23 STIG:
GEN006600
(in version v1 r8)
Title
The system's access control program must log each system’s access attempt. (Cat II impact)
Discussion
If access attempts are not logged, then multiple attempts to log on to the system by an unauthorized user may go undetected.
Check Content
Normally, tcpd logs to the mail facility in the syslog.conf file (normally located within the /etc directory). Determine if syslog is configured to log events by tcpd. # find /etc -type f -name syslog.conf # cat <path>/syslog.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' |grep -v “^#” | egrep “mail.debug|mail.info|mail.\*” Look for an entry similar to the following, indicating that mail alerts are being logged: mail.* /var/log/maillog If no entries for mail exist, then tcpd is not logging and this is a finding.
Fix Text
Configure the access restriction program to log every access attempt. Ensure the implementation instructions for TCP_WRAPPERS are followed so logging of system access attempts is logged into the system log files. If an alternate application is used, it must support this function.
Additional Identifiers
Rule ID: SV-35206r2_rule
Vulnerability ID: V-941
Group Title: GEN006600
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000126 |
The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system. |
Controls
Number | Title |
---|---|
AU-2 |
Audit Events |