Check: PHTN-67-000018
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000018
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must have the auditd service running. (Cat II impact)
Discussion
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times. Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000042-GPOS-00021, SRG-OS-000255-GPOS-00096, SRG-OS-000363-GPOS-00150, SRG-OS-000365-GPOS-00152, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000461-GPOS-00205, SRG-OS-000465-GPOS-00209, SRG-OS-000467-GPOS-00211, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Check Content
At the command line, execute the following command: # service auditd status | grep running If the service is not running, this is a finding.
Fix Text
At the command line, execute the following command: # systemctl enable auditd.service # service auditd start
Additional Identifiers
Rule ID: SV-239090r856039_rule
Vulnerability ID: V-239090
Group Title: SRG-OS-000062-GPOS-00031
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
CCI-001744 |
The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner. |
CCI-001814 |
The Information system supports auditing of the enforcement actions. |
CCI-002696 |
The information system verifies correct operation of organization-defined security functions. |
CCI-002699 |
The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency. |
Controls
Number | Title |
---|---|
AU-3 |
Content Of Audit Records |
AU-3 (1) |
Additional Audit Information |
AU-12 |
Audit Generation |
CM-3 (5) |
Automated Security Response |
CM-5 (1) |
Automated Access Enforcement / Auditing |
SI-6 |
Security Function Verification |