The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.
DISA Rule
SV-238298r654069_rule
Vulnerability Number
V-238298
Group Title
SRG-OS-000122-GPOS-00063
Rule Version
UBTU-20-010182
Severity
CAT II
CCI(s)
- CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
- CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
- CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
- CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
- CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
- CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
- CCI-000154 - The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
- CCI-000158 - The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records.
- CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
- CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
- CCI-001875 - The information system provides an audit reduction capability that supports on-demand audit review and analysis.
- CCI-001876 - The information system provides an audit reduction capability that supports on-demand reporting requirements.
- CCI-001877 - The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
- CCI-001878 - The information system provides a report generation capability that supports on-demand audit review and analysis.
- CCI-001879 - The information system provides a report generation capability that supports on-demand reporting requirements.
- CCI-001880 - The information system provides a report generation capability that supports after-the-fact investigations of security incidents.
- CCI-001881 - The information system provides an audit reduction capability that does not alter original content or time ordering of audit records.
- CCI-001882 - The information system provides a report generation capability that does not alter original content or time ordering of audit records.
- CCI-001914 - The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.
Weight
10
Fix Recommendation
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred.
Install the audit service (if the audit service is not already installed) with the following command:
$ sudo apt-get install auditd
Enable the audit service with the following command:
$ sudo systemctl enable auditd.service
To reload the rules file, issue the following command:
$ sudo augenrules --load
Check Contents
Verify the audit service is configured to produce audit records with the following command:
$ dpkg -l | grep auditd
If the "auditd" package is not installed, this is a finding.
Verify the audit service is enabled with the following command:
$ systemctl is-enabled auditd.service
If the command above returns "disabled", this is a finding.
Verify the audit service is properly running and active on the system with the following command:
$ systemctl is-active auditd.service
active
If the command above returns "inactive", this is a finding.
Vulnerability Number
V-238298
Documentable
False
Rule Version
UBTU-20-010182
Severity Override Guidance
Verify the audit service is configured to produce audit records with the following command:
$ dpkg -l | grep auditd
If the "auditd" package is not installed, this is a finding.
Verify the audit service is enabled with the following command:
$ systemctl is-enabled auditd.service
If the command above returns "disabled", this is a finding.
Verify the audit service is properly running and active on the system with the following command:
$ systemctl is-active auditd.service
active
If the command above returns "inactive", this is a finding.
Check Content Reference
M
Target Key
5318
Comments
STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021: