Check: RHEL-09-653015
RHEL 9 STIG:
RHEL-09-653015
(in versions v1 r3 through v1 r1)
Title
RHEL 9 audit service must be enabled. (Cat II impact)
Discussion
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the "auditd" service is active ensures audit records generated by the kernel are appropriately recorded. Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
Check Content
Verify the audit service is configured to produce audit records with the following command: $ systemctl status auditd.service auditd.service - Security Auditing Service Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Tues 2022-05-24 12:56:56 EST; 4 weeks 0 days ago If the audit service is not "active" and "running", this is a finding.
Fix Text
To enable the auditd service run the following command: $ sudo systemctl enable --now auditd
Additional Identifiers
Rule ID: SV-258152r926443_rule
Vulnerability ID: V-258152
Group Title: SRG-OS-000062-GPOS-00031
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
| CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
| CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
| CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
| CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-001464 |
The information system initiates session audits at system start-up. |
| CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
| CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
| CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
| CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
| CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
| CCI-001880 |
The information system provides a report generation capability that supports after-the-fact investigations of security incidents. |
| CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
| CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |
| CCI-001889 |
The information system records time stamps for audit records that meet organization-defined granularity of time measurement. |
| CCI-001914 |
The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds. |
| CCI-002884 |
The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events. |
Controls
| Number | Title |
|---|---|
| AU-3 |
Content Of Audit Records |
| AU-3 (1) |
Additional Audit Information |
| AU-6 (4) |
Central Review And Analysis |
| AU-7 |
Audit Reduction And Report Generation |
| AU-7 (1) |
Automatic Processing |
| AU-8 |
Time Stamps |
| AU-12 |
Audit Generation |
| AU-12 (3) |
Changes By Authorized Individuals |
| AU-14 (1) |
System Start-Up |
| CM-5 (1) |
Automated Access Enforcement / Auditing |
| MA-4 (1) |
Auditing And Review |