OL 9 remote access methods must be monitored.

STIG ID: OL09-00-005000  |  SRG: SRG-OS-000032-GPOS-00013 |  Severity: medium |  CCI: CCI-000067 |  Vulnerability Id: V-271851

Vulnerability Discussion

Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.

Check

Verify that OL 9 monitors all remote access methods.

Check that remote access methods are being logged by running the following command:

$ grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.conf
authpriv.* /var/log/secure

If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.

Fix

Configure OL 9 remote access methods to be monitored.

Add or update the following lines to the "/etc/rsyslog.conf" file:

auth.*;authpriv.*;daemon.* /var/log/secure

The "rsyslog" service must be restarted for the changes to take effect with the following command:

$ sudo systemctl restart rsyslog.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.