3.2 Ensure Security Auditing Flags Are Configured Per Local Organizational Requirements - 'audit all failed write actions where enforcement stopped a file write'

Information

Auditing is the capture and maintenance of information about security-related events. Auditable events often depend on differing organizational requirements.

Rationale:

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised.

Depending on the governing authority, organizations can have vastly different auditing requirements. In this control we have selected a minimal set of audit flags that should be a part of any organizational requirements. The flags selected below may not adequately meet organizational requirements for users of this benchmark. The auditing checks for the flags proposed here will not impact additional flags that are selected.

Solution

Perform the following to set the require Security Auditing Flags:
Edit the /etc/security/audit_control file and add fm, ad, -ex, aa, -fr, lo, and -fw flags or add -all to flags.

See Also

https://workbench.cisecurity.org/files/3569