Rule ID
SV-268282r1038736_rule
Version
V1R2
CCIs
Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Check the contents of the "/var/log/audit/audit.log" file. Verify the audit log contains records showing when unsuccessful login attempts occur. If the audit log is not configured or does not have required contents, this is a finding. HYCU also maintains Event (Audit) information in the "HYCU Web UI Events" menu. Log in with incorrect credentials and check the HYCU Events. If the HYCU event of category "SECURITY" and status "Warning" is not logged, this is a finding.
Log in to the HYCU VM console and load the STIG audit rules by using the following commands: 1. cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load