3.2 Configure Security Auditing Flags - 'audit all failed events across all audit classes'

Information

Auditing is the capture and maintenance of information about security-related events.

Rationale:

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.

Solution

Perform the following to implement the prescribed state:

Open a terminal session and edit the /etc/security/audit_control file

Find the line beginning with 'flags'

Add the following flags: lo, ad, fd, fm, -all.

Save the file.

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 2dfe91390b591d3ebee5afa9ad17ed01e84870e8faaac35d7a4de7a5d82f55b4