PHTN-30-000020 - The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.

Information

Audit records can be generated from various components within the information system (e.g., module or policy filter).

Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212

Solution

Navigate to and open:

/etc/audit/rules.d/audit.STIG.rules

Add the following lines:

-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchown,chown,fchownat,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F key=perm_mod

At the command line, run the following command to load the new audit rules:

# /sbin/augenrules --load

Note: A new 'audit.STIG.rules' file is provided for placement in '/etc/audit/rules.d' that contains all rules needed for auditd.

Note: An older 'audit.STIG.rules' may exist if the file exists and references older 'GEN' SRG IDs. This file can be removed and replaced as necessary with an updated one.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

References: 800-53|AU-12c., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000172, CCI|CCI-002884, Rule-ID|SV-256497r887165_rule, STIG-ID|PHTN-30-000020, Vuln-ID|V-256497

Plugin: Unix

Control ID: a8005be6468974d059ddf913b1fd47f31b9950de7e73e9f594bd818f2466bddb