Details
The auditing system _MUST_ be configured to flag authorization and authentication (aa) events.
Authentication events contain information about the identity of a user, server, or client. Authorization events contain information about permissions, rights, and rules. If audit records do not include aa events, it is difficult to identify incidents and to correlate incidents to subsequent events.
Audit records can be generated from various components within the information system (e.g., via a module or policy filter).
Solution
Run the following bash code
/usr/bin/grep -qE "^flags.*[^-]aa" /etc/security/audit_control || /usr/bin/sed -i.bak '/^flags/ s/$/,aa/' /etc/security/audit_control; /usr/sbin/audit -s
----
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Audit and Accountability, Configuration Management, Maintenance.This control applies to the following type of system Unix.
References
- 800-53|AC-2(12)
- 800-53|AU-2
- 800-53|AU-12
- 800-53|AU-12c.
- 800-53|CM-5(1)
- 800-53|MA-4(1)
- CCE|CCE-85261-6, CCI|CCI-000172
- STIG-ID|APPL-11-001044