Check: TOSS-04-030010
Tri-Lab Operating System Stack (TOSS) 4 STIG:
TOSS-04-030010
(in versions v1 r3 through v1 r1)
Title
TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events. (Cat II impact)
Discussion
Without establishing what type of events occurred, when events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in TOSS audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured TOSS system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000047-GPOS-00023, SRG-OS-000051-GPOS-00024, SRG-OS-000064-GPOS-00033, SRG-OS-000241-GPOS-00091, SRG-OS-000254-GPOS-00095, SRG-OS-000327-GPOS-00127, SRG-OS-000342-GPOS-00133, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000479-GPOS-00224
Check Content
Verify the audit service is configured to produce audit records. Check that the audit service is installed properly with the following command: $ sudo yum list installed audit If the "audit" package is not installed, this is a finding. Check that the audit service is properly running and active on the system with the following command: $ sudo systemctl is-active auditd.service active If the command above returns "inactive", this is a finding.
Fix Text
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: $ sudo yum install audit Enable the audit service with the following command: $ sudo systemctl enable auditd.service Start the audit service with the following command: $ sudo systemctl start auditd.service
Additional Identifiers
Rule ID: SV-252973r824243_rule
Vulnerability ID: V-252973
Group Title: SRG-OS-000037-GPOS-00015
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
CCI-001405 |
The information system automatically audits account removal actions. |
CCI-001464 |
The information system initiates session audits at system start-up. |
CCI-001814 |
The Information system supports auditing of the enforcement actions. |
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |
CCI-001878 |
The information system provides a report generation capability that supports on-demand audit review and analysis. |
CCI-001879 |
The information system provides a report generation capability that supports on-demand reporting requirements. |
CCI-001881 |
The information system provides an audit reduction capability that does not alter original content or time ordering of audit records. |
CCI-001882 |
The information system provides a report generation capability that does not alter original content or time ordering of audit records. |
CCI-002234 |
The information system audits the execution of privileged functions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |
AC-6 (9) |
Auditing Use Of Privileged Functions |
AU-3 |
Content Of Audit Records |
AU-3 (1) |
Additional Audit Information |
AU-4 (1) |
Transfer To Alternate Storage |
AU-5 |
Response To Audit Processing Failures |
AU-6 (4) |
Central Review And Analysis |
AU-7 |
Audit Reduction And Report Generation |
AU-12 |
Audit Generation |
AU-14 (1) |
System Start-Up |
CM-5 (1) |
Automated Access Enforcement / Auditing |