Rule ID
SV-255268r960888_rule
Version
V2R1
CCIs
An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all loggable events are captured, the web server must begin logging once the first web server process is initiated.
Verify that SSMC is configured to generate log records for system startup and shutdown, system access, and system authentication events. To do so, check if auditd facility (session_log) is enabled: 1. Log on as ssmcadmin to ssmc appliance via SSH. Press "X" to escape to general bash shell. 2. Execute the following command: $ sudo /ssmc/bin/config_security.sh -o session_log -a status Session log is enabled If the console output does not show the session log function as enabled, this is a finding.
Configure SSMC to generate log records for system startup and shutdown, system access, and system authentication events. To do so, enable auditd facility (session_log): 1. Log on to SSMC appliance as ssmcadmin. Press "X" to escape to general bash shell from the TUI menu. 2. Execute the following command to enable session logging: $ sudo /ssmc/bin/config_security.sh -o session_log -a enable