← Back to VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

V-239639

CAT II (Medium)

The SLES for vRealize must generate audit records for all direct access to the information system.

Rule ID

SV-239639r662368_rule

STIG

VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-000172

Discussion

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Check Content

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules.

The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records:

# egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules

If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix Text

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain:

-w /var/log/faillog -p wa
-w /var/log/lastlog -p wa
-w /var/log/tallylog -p wa

OR

# /etc/dodscript.sh