SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
DISA Rule
SV-217191r603262_rule
Vulnerability Number
V-217191
Group Title
SRG-OS-000037-GPOS-00015
Rule Version
SLES-12-020010
Severity
CAT II
CCI(s)
- CCI-000366 - The organization implements the security configuration settings.
- CCI-000154 - The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
- CCI-000158 - The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records.
- CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
- CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
- CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
- CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
- CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
- CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
- CCI-001876 - The information system provides an audit reduction capability that supports on-demand reporting requirements.
- CCI-001464 - The information system initiates session audits at system start-up.
- CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
- CCI-002884 - The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.
Weight
10
Fix Recommendation
Enable the SUSE operating system auditd service by performing the following commands:
# sudo systemctl enable auditd.service
# sudo systemctl start auditd.service
Check Contents
Verify the SUSE operating system produces audit records.
Check that the SUSE operating system produces audit records by running the following command to determine the current status of the auditd service:
# systemctl status auditd.service
If the service is enabled, the returned message must contain the following text:
Active: active (running)
If the service is not running, this is a finding.
Vulnerability Number
V-217191
Documentable
False
Rule Version
SLES-12-020010
Severity Override Guidance
Verify the SUSE operating system produces audit records.
Check that the SUSE operating system produces audit records by running the following command to determine the current status of the auditd service:
# systemctl status auditd.service
If the service is enabled, the returned message must contain the following text:
Active: active (running)
If the service is not running, this is a finding.
Check Content Reference
M
Target Key
4033
Comments
STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: