Navigate

Check: SLEM-05-653010

SUSE Linux Enterprise Micro (SLEM) 5 STIG: SLEM-05-653010 (in version v1 r1)

Title

SLEM 5 must have the auditing package installed. (Cat II impact)

Discussion

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in SLEM 5 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SLEM 5.

Check Content

Verify SLEM 5 auditing package is installed with the following command: > zypper info audit Name : audit Version : 2.8.5-3.2 Arch : X86_64 Vendor : SUSE LLC <https://www.suse.com> Installed Size : 646.2 KiB Installed : Yes (automatically) Status : up-to-date If the package "audit" is not installed on the system, this is a finding.

Fix Text

Install SLEM 5 auditing package with the following commands: > sudo transactional-update pkg install audit > sudo reboot

Additional Identifiers

Rule ID: SV-261410r996645_rule

Vulnerability ID: V-261410

Group Title: SRG-OS-000337-GPOS-00129

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000172	Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3.
CCI-001814	The Information system supports auditing of the enforcement actions.
CCI-001875	Provide an audit reduction capability that supports on-demand audit review and analysis.
CCI-001877	Provide an audit reduction capability that supports after-the-fact investigations of incidents.
CCI-001878	Provide a report generation capability that supports on-demand audit review and analysis.
CCI-001879	Provide a report generation capability that supports on-demand reporting requirements.
CCI-001880	Provide a report generation capability that supports after-the-fact investigations of security incidents.
CCI-001881	Provide an audit reduction capability that does not alter original content or time ordering of audit records.
CCI-001882	Provide a report generation capability that does not alter original content or time ordering of audit records.
CCI-001889	Record time stamps for audit records that meet organization-defined granularity of time measurement.
CCI-001890	Record time stamps for audit records that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
CCI-001914	Provide the capability for organization-defined individuals or roles to change the logging to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AU-7	Audit Reduction and Report Generation
AU-8	Time Stamps
AU-12	Audit Generation
AU-12(3)	Changes by Authorized Individuals
CM-5(1)	Automated Access Enforcement / Auditing