Title

All RHEL 9 remote access methods must be monitored. (Cat II impact)

Discussion

Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.

Check Content

Verify that RHEL 9 monitors all remote access methods. Check that remote access methods are being logged by running the following command: $ grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.conf /etc/rsyslog.d/ /etc/rsyslog.conf:authpriv.* If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.

Fix Text

Add or update the following lines to the "/etc/rsyslog.conf" file or a file in "/etc/rsyslog.d": auth.*;authpriv.*;daemon.* /var/log/secure The "rsyslog" service must be restarted for the changes to take effect with the following command: $ sudo systemctl restart rsyslog.service

Additional Identifiers

Rule ID: SV-258144r1045286_rule

Vulnerability ID: V-258144

Group Title: SRG-OS-000032-GPOS-00013

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.