If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000358-GPOS-00145, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152
1. Verify Nutanix OS is configured with the ausearch tool using the following command. The ausearch tool is a feature of the audit rpm. $ sudo yum list installed audit Installed Packages audit.x86_64 2. Verify the package has not been removed using the following command. $ sudo yum list installed audit Installed Packages audit.x86_64 3. Verify the package has not been disabled using the following command. $ sudo systemctl status auditd.service auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-10-11 03:16:33 UTC; 21h ago If audit.x86_64 is not installed or is not active, this is a finding.
1. For AOS, Files, and Prism Central, this setting is configured by default to have ownership and permission levels set correctly to meet this requirement. If these are found to be out of compliance, some corruption has taken place and the OS must be rebuilt. 2. For AHV, configure the audit service to be active and start automatically with the system at startup. The audit service is protected and restricted to allow access or modifications only from the root account. $ sudo su - # systemctl start auditd.service