Detections
Analytics

1.361 RHEL-09-652030

Information

All RHEL 9 remote access methods must be monitored.

GROUP ID: V-258144
RULE ID: SV-258144r1045286

Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.

Solution

Add or update the following lines to the "/etc/rsyslog.conf" file or a file in "/etc/rsyslog.d":

auth.*;authpriv.*;daemon.* /var/log/secure

The "rsyslog" service must be restarted for the changes to take effect with the following command:

$ sudo systemctl restart rsyslog.service

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(1), CAT|II, CCI|CCI-000067, Rule-ID|SV-258144r1045286_rule, STIG-ID|RHEL-09-652030, Vuln-ID|V-258144

Plugin: Unix

Control ID: 9e7d98427dd43f312860bb6aab4acf849c79f7a44fe08a67e2247894ed98e517