The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.
DISA Rule
SV-219225r610963_rule
Vulnerability Number
V-219225
Group Title
SRG-OS-000038-GPOS-00016
Rule Version
UBTU-18-010250
Severity
CAT II
CCI(s)
- CCI-001914 - The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.
- CCI-001875 - The information system provides an audit reduction capability that supports on-demand audit review and analysis.
- CCI-001876 - The information system provides an audit reduction capability that supports on-demand reporting requirements.
- CCI-001877 - The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
- CCI-001878 - The information system provides a report generation capability that supports on-demand audit review and analysis.
- CCI-001879 - The information system provides a report generation capability that supports on-demand reporting requirements.
- CCI-001880 - The information system provides a report generation capability that supports after-the-fact investigations of security incidents.
- CCI-001814 - The Information system supports auditing of the enforcement actions.
- CCI-002884 - The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.
- CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
- CCI-000154 - The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
- CCI-000158 - The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records.
- CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
- CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
- CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
- CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
- CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
- CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
Weight
10
Fix Recommendation
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred.
Install the audit service (if the audit service is not already installed) with the following command:
# sudo apt-get install auditd
Enable the audit service with the following command:
# sudo systemctl enable auditd.service
In order to reload the rules file, issue the following command:
# sudo augenrules --load
Check Contents
Verify the audit service is configured to produce audit records.
Check that the audit service is installed properly with the following command:
# dpkg -l | grep auditd
If the "auditd" package is not installed, this is a finding.
Check that the audit service is enabled with the following command:
# systemctl is-enabled auditd.service
If the command above returns "disabled", this is a finding.
Check that the audit service is properly running and active on the system with the following command:
# systemctl is-active auditd.service
active
If the command above returns "inactive", this is a finding.
Vulnerability Number
V-219225
Documentable
False
Rule Version
UBTU-18-010250
Severity Override Guidance
Verify the audit service is configured to produce audit records.
Check that the audit service is installed properly with the following command:
# dpkg -l | grep auditd
If the "auditd" package is not installed, this is a finding.
Check that the audit service is enabled with the following command:
# systemctl is-enabled auditd.service
If the command above returns "disabled", this is a finding.
Check that the audit service is properly running and active on the system with the following command:
# systemctl is-active auditd.service
active
If the command above returns "inactive", this is a finding.
Check Content Reference
M
Target Key
4055
Comments
STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: