Check: PHTN-67-000010
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000010
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must configure auditd to log to disk. (Cat II impact)
Discussion
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content must be shipped to a central location, but it must also be logged locally. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019
Check Content
At the command line, execute the following command: # grep "^write_logs" /etc/audit/auditd.conf Expected result: write_logs = yes If there is no output, this is not a finding. If the output does not match the expected result, this is a finding.
Fix Text
Open /etc/audit/auditd.conf with a text editor. Ensure that the "write_logs" line is uncommented and set to the following: write_logs = yes At the command line, execute the following command: # service auditd reload
Additional Identifiers
Rule ID: SV-239082r675054_rule
Vulnerability ID: V-239082
Group Title: SRG-OS-000037-GPOS-00015
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
Controls
Number | Title |
---|---|
AU-3 |
Content Of Audit Records |