STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.

DISA Rule

SV-204504r603261_rule

Vulnerability Number

V-204504

Group Title

SRG-OS-000046-GPOS-00022

Rule Version

RHEL-07-030010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the operating system to shut down in the event of an audit processing failure.

Add or correct the option to shut down the operating system with the following command:

# auditctl -f 2

Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:

-f 2

If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:

# auditctl -f 1

Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:

-f 1

Kernel log monitoring must also be configured to properly alert designated staff.

The audit daemon must be restarted for the changes to take effect.

Check Contents

Confirm the audit configuration regarding how auditing processing failures are handled.

Check to see what level "auditctl" is set to with following command:

# auditctl -s | grep -i "fail"

failure 2

Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure.

If the "failure" setting is set to any value other than "1" or "2", this is a finding.

If the "failure" setting is not set, this should be upgraded to a CAT I finding.

If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.

Vulnerability Number

V-204504

Documentable

False

Rule Version

RHEL-07-030010

Severity Override Guidance

Confirm the audit configuration regarding how auditing processing failures are handled.

Check to see what level "auditctl" is set to with following command:

# auditctl -s | grep -i "fail"

failure 2

Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure.

If the "failure" setting is set to any value other than "1" or "2", this is a finding.

If the "failure" setting is not set, this should be upgraded to a CAT I finding.

If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.

Check Content Reference

M

Target Key

2899

Comments