Rule ID
SV-279557r1192413_rule
Version
V1R1
CCIs
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Verify Nutanix OS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited using the following command. Note: Nutanix OS audit facility is locked down so that only root has access to browse below the /etc/audit/ directory. $ sudo ls -al /etc/audit/rules.d/audit.rules -rw-r-----. 1 root root 21587 Oct 11 03:16 /etc/audit/rules.d/audit.rules $ sudo ls -l /etc/audit/auditd.conf -rw-r-----. 1 root root 908 Oct 10 20:00 /etc/audit/auditd.conf If the files in the "/etc/audit/rules.d/" directory or the "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.
1. For AOS, configure the audit rules. $ sudo salt-call state.sls security/CVM/auditCVM 2. For Prism Central, configure the audit rules. $ sudo salt-call state.sls security/PCVM/auditPCVM 3. For Files, configure the audit rules. $ sudo salt-call state.sls security/AFS/auditAFS 4. For AHV, configure the audit rules. $ sudo salt-call state.sls security/KVM/auditKVM