STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

All RHEL 8 remote access methods must be monitored.

DISA Rule

SV-230228r627750_rule

Vulnerability Number

V-230228

Group Title

SRG-OS-000032-GPOS-00013

Rule Version

RHEL-08-010070

Severity

CAT II

CCI(s)

• CCI-000067 - The information system monitors remote access methods.

Weight

10

Fix Recommendation

Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command:

$ sudo yum install rsyslog

Then add or update the following lines to the "/etc/rsyslog.conf" file:

auth.*;authpriv.*;daemon.* /var/log/secure

The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command:

$ sudo systemctl restart rsyslog.service

Check Contents

Verify that RHEL 8 monitors all remote access methods.

Check that remote access methods are being logged by running the following command:

$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf

auth.*;authpriv.*;daemon.* /var/log/secure

If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.

Vulnerability Number

V-230228

Documentable

False

Rule Version

RHEL-08-010070

Severity Override Guidance

Verify that RHEL 8 monitors all remote access methods.

Check that remote access methods are being logged by running the following command:

$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf

auth.*;authpriv.*;daemon.* /var/log/secure

If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.

Check Content Reference

M

Target Key

2921

Comments