Navigate

Check: RHEL-09-653010

RHEL 9 STIG: RHEL-09-653010 (in versions v1 r3 through v1 r1)

Title

RHEL 9 audit package must be installed. (Cat II impact)

Discussion

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 9 system. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000055-GPOS-00026

Check Content

Verify that RHEL 9 audit service package is installed. Check that the audit service package is installed with the following command: $ sudo dnf list --installed audit Example output: audit-3.0.7-101.el9_0.2.x86_64 If the "audit" package is not installed, this is a finding.

Fix Text

Install the audit service package (if the audit service is not already installed) with the following command: $ sudo dnf install audit

Additional Identifiers

Rule ID: SV-258151r926440_rule

Vulnerability ID: V-258151

Group Title: SRG-OS-000062-GPOS-00031

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000130	The information system generates audit records containing information that establishes what type of event occurred.
CCI-000131	The information system generates audit records containing information that establishes when an event occurred.
CCI-000132	The information system generates audit records containing information that establishes where the event occurred.
CCI-000133	The information system generates audit records containing information that establishes the source of the event.
CCI-000134	The information system generates audit records containing information that establishes the outcome of the event.
CCI-000135	The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
CCI-000154	The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
CCI-000158	The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records.
CCI-000159	The information system uses internal system clocks to generate time stamps for audit records.
CCI-000169	The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
CCI-000172	The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CCI-001464	The information system initiates session audits at system start-up.
CCI-001487	The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
CCI-001814	The Information system supports auditing of the enforcement actions.
CCI-001875	The information system provides an audit reduction capability that supports on-demand audit review and analysis.
CCI-001876	The information system provides an audit reduction capability that supports on-demand reporting requirements.
CCI-001877	The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
CCI-001878	The information system provides a report generation capability that supports on-demand audit review and analysis.
CCI-001879	The information system provides a report generation capability that supports on-demand reporting requirements.
CCI-001880	The information system provides a report generation capability that supports after-the-fact investigations of security incidents.
CCI-001881	The information system provides an audit reduction capability that does not alter original content or time ordering of audit records.
CCI-001882	The information system provides a report generation capability that does not alter original content or time ordering of audit records.
CCI-001889	The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
CCI-001914	The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.
CCI-002884	The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AU-3	Content Of Audit Records
AU-3 (1)	Additional Audit Information
AU-6 (4)	Central Review And Analysis
AU-7	Audit Reduction And Report Generation
AU-7 (1)	Automatic Processing
AU-8	Time Stamps
AU-12	Audit Generation
AU-12 (3)	Changes By Authorized Individuals
AU-14 (1)	System Start-Up
CM-5 (1)	Automated Access Enforcement / Auditing
MA-4 (1)	Auditing And Review