STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must enable auditing of processes that start prior to the audit daemon.

DISA Rule

SV-230468r627750_rule

Vulnerability Number

V-230468

Group Title

SRG-OS-000062-GPOS-00031

Rule Version

RHEL-08-030601

Severity

CAT III

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

Configure RHEL 8 to audit processes that start prior to the audit daemon with the following command:

$ sudo grubby --update-kernel=ALL --args="audit=1"

Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:

GRUB_CMDLINE_LINUX="audit=1"

Check Contents

Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands:

$ sudo grub2-editenv - list | grep audit

kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82

If the "audit" entry does not equal "1", is missing, or the line is commented out, this is a finding.

Check that auditing is enabled by default to persist in kernel updates:

$ sudo grep audit /etc/default/grub

GRUB_CMDLINE_LINUX="audit=1"

If "audit" is not set to "1", is missing or commented out, this is a finding.

Vulnerability Number

V-230468

Documentable

False

Rule Version

RHEL-08-030601

Severity Override Guidance

Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands:

$ sudo grub2-editenv - list | grep audit

kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82

If the "audit" entry does not equal "1", is missing, or the line is commented out, this is a finding.

Check that auditing is enabled by default to persist in kernel updates:

$ sudo grep audit /etc/default/grub

GRUB_CMDLINE_LINUX="audit=1"

If "audit" is not set to "1", is missing or commented out, this is a finding.

Check Content Reference

M

Target Key

2921

Comments