1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
documentation_complete: true
title: 'Enable auditd Service'
description: |-
The <tt>auditd</tt> service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.
{{{ describe_service_enable(service="auditd") }}}
rationale: |-
Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the <tt>auditd</tt> service is active ensures audit records
generated by the kernel are appropriately recorded.
<br /><br />
Additionally, a properly configured audit subsystem ensures that actions of
individual system users can be uniquely traced to those users so they
can be held accountable for their actions.
severity: medium
requires:
- package_audit_installed
identifiers:
cce@rhcos4: CCE-82463-1
cce@rhel8: CCE-80872-5
cce@rhel9: CCE-90829-3
cce@rhel10: CCE-87955-1
cce@sle12: CCE-83024-0
cce@sle15: CCE-85581-7
cce@slmicro5: CCE-93768-0
cce@slmicro6: CCE-94631-9
references:
cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
cis@sle12: 4.1.1.2
cis@sle15: 4.1.1.2
cjis: 5.4.1.1
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
cui: 3.3.1,3.3.2,3.3.6
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b)
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
nerc-cip: CIP-004-6 R3.3,CIP-007-3 R6.5
nist: AC-2(g),AU-3,AU-10,AU-2(d),AU-12(c),AU-14(1),AC-6(9),CM-6(a),SI-4(23)
nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
ospp: FAU_GEN.1
pcidss: Req-10.1
srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220,SRG-APP-000095-CTR-000170,SRG-APP-000409-CTR-000990,SRG-APP-000508-CTR-001300,SRG-APP-000510-CTR-001310
stigid@ol7: OL07-00-030000
stigid@ol8: OL08-00-030181
stigid@sle12: SLES-12-020010
stigid@sle15: SLES-15-030050
ocil_clause: 'the auditd service is not running'
ocil: |-
{{{ ocil_service_enabled(service="auditd") }}}
fixtext: |-
{{{ fixtext_service_enabled("auditd") }}}
{{% if 'ubuntu' not in product and 'debian' not in product %}}
srg_requirement: '{{{ srg_requirement_service_enabled("audit") }}}'
{{% else %}}
srg_requirement: '{{{ srg_requirement_service_enabled("auditd") }}}'
{{% endif %}}
platform: package[audit]
template:
name: service_enabled
vars:
servicename: auditd
packagename: audit
packagename@debian11: auditd
packagename@debian12: auditd
packagename@debian13: auditd
packagename@ubuntu2204: auditd
packagename@ubuntu2404: auditd
|
