Detections
Analytics

1.377 RHEL-09-653060

Information

RHEL 9 must label all offloaded audit logs before sending them to the central log server.

GROUP ID: V-258161
RULE ID: SV-258161r958416

Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.

When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.

Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Solution

Edit the /etc/audit/auditd.conf file and add or update the "name_format" option:

name_format = hostname

The audit daemon must be restarted for changes to take effect.

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-4(1), CAT|II, CCI|CCI-000132, CCI|CCI-001851, Rule-ID|SV-258161r958416_rule, STIG-ID|RHEL-09-653060, Vuln-ID|V-258161

Plugin: Unix

Control ID: 24d4cceb3b2f482db1c20b12aef32fca1ef2ae785d0353cbf655bd40be3fbe29