STIGQter STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

DISA Rule

SV-238243r653904_rule

Vulnerability Number

V-238243

Group Title

SRG-OS-000046-GPOS-00022

Rule Version

UBTU-20-010117

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure.

Edit the following line in "/etc/audit/auditd.conf" to ensure administrators are notified via email for those situations:

action_mail_acct = <administrator_account>

Note: Change "administrator_account" to an account for security personnel.

Restart the "auditd" service so the changes take effect:

$ sudo systemctl restart auditd.service

Check Contents

Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command:

$ sudo grep '^action_mail_acct = root' /etc/audit/auditd.conf

action_mail_acct = <administrator_account>

If the value of the "action_mail_acct" keyword is not set to an accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.

Vulnerability Number

V-238243

Documentable

False

Rule Version

UBTU-20-010117

Severity Override Guidance

Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command:

$ sudo grep '^action_mail_acct = root' /etc/audit/auditd.conf

action_mail_acct = <administrator_account>

If the value of the "action_mail_acct" keyword is not set to an accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.

Check Content Reference

M

Target Key

5318

Comments