3.3 Configure Security Auditing Flags - 'audit all failed events across all audit classes'

Information

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, has begun, or is about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.

Solution

Perform the following to implement the prescribed state:
Open a terminal session and edit the /etc/security/audit_control file
Find the line beginning with 'flags'
Add the following flags: lo,ad,fd,fm,-all.
Save the file.

See Also

https://workbench.cisecurity.org/files/301

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: be02db3ff27b76091b0feb8c8ae33dcedd0997e1dc0bacfd1411b930b32230fd