STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

DISA Rule

SV-230471r627750_rule

Vulnerability Number

V-230471

Group Title

SRG-OS-000063-GPOS-00032

Rule Version

RHEL-08-030610

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the files in directory "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file to have a mode of "0640" with the following commands:

$ sudo chmod 0640 /etc/audit/rules.d/audit.rules
$ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules
$ sudo chmod 0640 /etc/audit/auditd.conf

Check Contents

Verify that the files in directory "/etc/audit/rules.d/" and "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive by using the following commands:

$ sudo ls -al /etc/audit/rules.d/*.rules

-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules

$ sudo ls -l /etc/audit/auditd.conf

-rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf

If the files in the "/etc/audit/rules.d/" directory or the "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.

Vulnerability Number

V-230471

Documentable

False

Rule Version

RHEL-08-030610

Severity Override Guidance

Verify that the files in directory "/etc/audit/rules.d/" and "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive by using the following commands:

$ sudo ls -al /etc/audit/rules.d/*.rules

-rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules

$ sudo ls -l /etc/audit/auditd.conf

-rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf

If the files in the "/etc/audit/rules.d/" directory or the "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.

Check Content Reference

M

Target Key

2921

Comments