auditd - audit daemon

The STIG requires all systems to have the audit daemon, auditd, running to monitor system calls and other critical events. The daemon has rules that define which events are noteworthy on the system and it can generate alerts based on the events it finds.

Overview

Audit daemon rules

The auditd rules are deployed in a single task via a template (templates/osas-auditd-rhel7.j2). Each rule or set of similar rules are controlled by an Ansible variable that starts with security_audit_rhel7. Refer to defaults/main.yml for a list of these variables.

Example:

# Add audit rules for commands/syscalls.
security_rhel7_audit_chsh: yes                               # V-72167
security_rhel7_audit_chage: yes                              # V-72155
security_rhel7_audit_chcon: yes                              # V-72139
security_rhel7_audit_chmod: no                               # V-72105
security_rhel7_audit_chown: no                               # V-72097

For example, setting security_rhel7_audit_chown to yes will ensure that the rule for auditing the usage of the chown are included on each host. Setting security_rhel7_audit_chown to no will omit that rule on each host.

Handling audit emergencies

There are several configurations for auditd which are critical for deployers to review in detail. The options beneath the ## Audit daemon (auditd) comment will change how auditd handles log files and what it should do in case of emergencies.

Warning

Deployers should thoroughly test all changes to auditd emergency configurations. Some of these configuration options can cause serious issues on production systems, ranging from a reduction in security to servers going offline unexpectedly. There is extensive documentation in the developer notes below for each STIG requirement.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/auditd.yml.

V-72079

  • Summary: Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role start the audit daemon immediately and ensure that it starts at boot time.

V-72081

  • Summary: The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The audit daemon takes various actions when there is an auditing failure. There are three options for the -f flag for auditctl:

  • 0: In the event of an auditing failure, do nothing.

  • 1: In the event of an auditing failure, write messages to the kernel log.

  • 2: In the event of an auditing failure, cause a kernel panic.

Most operating systems set the failure flag to 1 by default, which maximizes system availability while still causing an alert. The tasks in the security role set the flag to 1 by default.

Deployers can adjust the following Ansible variable to customize the failure flag:

security_rhel7_audit_failure_flag: 1

Warning

Setting the failure flag to 2 is strongly discouraged unless the security of the system takes priority over its availability. Any failure in auditing causes a kernel panic and the system requires a hard reboot.

V-72083

  • Summary: The operating system must off-load audit records onto a different system or media from the system being audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The audispd service transmits audit logs to other servers. Deployers should specify the address of another server that can receive audit logs by setting the following Ansible variable:

security_audisp_remote_server: '10.0.21.1'

V-72085

  • Summary: The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The audispd daemon transmits audit logs without encryption by default. The STIG requires that these logs are encrypted while they are transferred across the network. The encryption is controlled by the enable_krb5 option in /etc/audisp/audisp-remote.conf.

Deployers can opt-in for encrypted audit log transmission by setting the following Ansible variable:

security_audisp_enable_krb5: yes

Warning

Only enable this setting if kerberos is already configured.

V-72087

  • Summary: The audit system must take appropriate action when the audit storage volume is full.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role set the disk_full_action and network_failure_action to syslog in the audispd remote configuration. In the event of a full disk on the remote log server or a network interruption, the local system sends warnings to syslog. This is the safest option since it maximizes the availability of the local system.

Deployers have two other options available:

  • single: Switch the local server into single-user mode in the event of a logging failure.

  • halt: Shut off the local server gracefully in the event of a logging failure.

Warning

Choosing single or halt causes a server to go into a degraded or offline state immediately after a logging failure.

Deployers can adjust these configurations by setting the following Ansible variables (the safe defaults are shown here):

security_rhel7_auditd_disk_full_action: syslog
security_rhel7_auditd_network_failure_action: syslog

V-72089

  • Summary: The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The space_left configuration is set to 25% of the size of the disk mounted on /. This calculation is done automatically.

Deployers can set a custom threshold for the space_left configuration (in megabytes) by setting the following Ansible variable:

# Example: A setting of 1GB (1024MB)
security_rhel7_auditd_space_left: 1024

V-72091

  • Summary: The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The space_left_action in the audit daemon configuration is set to email. This configuration causes the root user to receive an email when the space_left threshold is reached.

Deployers can customize this configuration by setting the following Ansible variable:

security_rhel7_auditd_space_left_action: email

V-72093

  • Summary: The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The action_mail_acct configuration in the audit daemon configuration file is set to root to meet the requirements of the STIG. Deployers can customize the recipient of the emails that come from auditd by setting the following Ansible variable:

security_rhel7_auditd_action_mail_acct: root

V-72095

  • Summary: All privileged function executions must be audited.

  • Severity: Medium

  • Implementation Status: Exception - Manual Intervention

Deployer/Auditor notes

This STIG is difficult to implement in an automated way because the number of applications on a system with setuid/setgid permissions changes over time. In addition, adding audit rules for some of these automatically could cause a significant increase in logging traffic when these applications are used regularly.

Deployers are urged to do the following instead:

  • Minimize the amount of applications with setuid/setgid privileges

  • Monitor any new applications that gain setuid/setgid privileges

  • Add risky applications with setuid/setgid privileges to auditd for detailed syscall monitoring

V-72097

  • Summary: All uses of the chown command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all chown syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_chown: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72099

  • Summary: All uses of the fchown command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all fchown syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_fchown: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72101

  • Summary: All uses of the lchown command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all lchown syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_lchown: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72103

  • Summary: All uses of the fchownat command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all fchownat syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_fchownat: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72105

  • Summary: All uses of the chmod command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all chmod syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_chmod: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72107

  • Summary: All uses of the fchmod command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all fchmod syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_fchmod: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72109

  • Summary: All uses of the fchmodat command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all fchmodat syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_fchmodat: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72111

  • Summary: All uses of the setxattr command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all setxattr syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_setxattr: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72113

  • Summary: All uses of the fsetxattr command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all fsetxattr syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_fsetxattr: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72115

  • Summary: All uses of the lsetxattr command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all lsetxattr syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_lsetxattr: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72117

  • Summary: All uses of the removexattr command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all removexattr syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_removexattr: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72119

  • Summary: All uses of the fremovexattr command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all fremovexattr syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_fremovexattr: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72121

  • Summary: All uses of the lremovexattr command must be audited.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The STIG requires that all lremovexattr syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_lremovexattr: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72123

  • Summary: All uses of the creat command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all creat syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_creat: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72125

  • Summary: All uses of the open command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all open syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_open: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72127

  • Summary: All uses of the openat command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all openat syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_openat: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72129

  • Summary: All uses of the open_by_handle_at command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all open_by_handle_at syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_open_by_handle_at: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72131

  • Summary: All uses of the truncate command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all truncate syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_truncate: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72133

  • Summary: All uses of the ftruncate command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all ftruncate syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_ftruncate: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72135

  • Summary: All uses of the semanage command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit any time the semanage command is used.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_semanage: no

V-72137

  • Summary: All uses of the setsebool command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit any time the setsebool command is used.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_setsebool: no

V-72139

  • Summary: All uses of the chcon command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the chcon command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_chcon: no

V-72141

  • Summary: All uses of the setfiles command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the restorecon command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_restorecon: no

V-72143

  • Summary: The operating system must generate audit records for all successful/unsuccessful account access count events.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all successful and unsuccessful account access events. Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_audit_account_access: no

V-72145

  • Summary: The operating system must generate audit records for all unsuccessful account access events.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-72147

  • Summary: The operating system must generate audit records for all successful account access events.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time an account is accessed.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_account_access: no

V-72149

  • Summary: All uses of the passwd command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the passwd command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_passwd_command: no

V-72151

  • Summary: All uses of the unix_chkpwd command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the unix_chkpwd command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_unix_chkpwd: no

V-72153

  • Summary: All uses of the gpasswd command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the gpasswd command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_gpasswd: no

V-72155

  • Summary: All uses of the chage command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the chage command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_chage: no

V-72157

  • Summary: All uses of the userhelper command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the userhelper command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_userhelper: no

V-72159

  • Summary: All uses of the su command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the su command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_su: no

V-72161

  • Summary: All uses of the sudo command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the sudo command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_sudo: no

V-72163

  • Summary: All uses of the sudoers command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time a user manages the configuration files for sudo.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_sudo_config_changes: no

V-72165

  • Summary: All uses of the newgrp command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the newgrp command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_newgrp: no

V-72167

  • Summary: All uses of the chsh command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the chsh command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_chsh: no

V-72169

  • Summary: All uses of the sudoedit command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the sudoedit command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_sudoedit: no

V-72171

  • Summary: All uses of the mount command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the mount command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_mount: no

V-72173

  • Summary: All uses of the umount command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the umount command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_umount: no

V-72175

  • Summary: All uses of the postdrop command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the postdrop command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_postdrop: no

V-72177

  • Summary: All uses of the postqueue command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the postqueue command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_postqueue: no

V-72179

  • Summary: All uses of the ssh-keysign command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the ssh-keysign command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_ssh_keysign: no

V-72183

  • Summary: All uses of the crontab command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the crontab command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_crontab: no

V-72185

  • Summary: All uses of the pam_timestamp_check command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the pam_timestamp_check command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_pam_timestamp_check: no

V-72187

  • Summary: All uses of the init_module command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all init_module syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_init_module: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72189

  • Summary: All uses of the delete_module command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all delete_module syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_delete_module: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72191

  • Summary: All uses of the insmod command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the insmod command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_insmod: no

V-72193

  • Summary: All uses of the rmmod command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the rmmod command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_rmmod: no

V-72195

  • Summary: All uses of the modprobe command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the modprobe command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_modprobe: no

V-72197

  • Summary: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time that an account is modified. This includes changes to the following files:

  • /etc/group

  • /etc/passwd

  • /etc/gshadow

  • /etc/shadow

  • /etc/security/opasswd

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_account_actions: no

V-72199

  • Summary: All uses of the rename command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all rename syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_rename: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72201

  • Summary: All uses of the renameat command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all renameat syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_renameat: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72203

  • Summary: All uses of the rmdir command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Rules are added to audit all rmdir syscalls on the system.

Deployers can opt out of this change by setting an Ansible variable:

security_rhel7_audit_rmdir: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72205

  • Summary: All uses of the unlink command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the unlink command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_unlink: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-72207

  • Summary: All uses of the unlinkat command must be audited.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks add a rule to auditd that logs each time the unlinkat command is used.

Deployers can opt-out of this change by setting an Ansible variable:

security_rhel7_audit_unlinkat: no

This rule is compatible with x86, x86_64, and ppc64 architectures.

V-73163

  • Summary: The audit system must take appropriate action when there is an error sending audit records to a remote system.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-73165

  • Summary: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-73167

  • Summary: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-73171

  • Summary: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-73173

  • Summary: The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control: