RHEL 10 must monitor all remote access methods.

STIG ID: RHEL-10-200647  |  SRG: SRG-OS-000032-GPOS-00013 |  Severity: medium (CAT II)  |  CCI: CCI-000067 |  Vulnerability Id: V-280990

Vulnerability Discussion

Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.

Check

Verify RHEL 10 monitors all remote access methods with the following command:

$ sudo grep -rE '(auth.\*|authpriv.\*|daemon.\*)' /etc/rsyslog.conf /etc/rsyslog.d/
/etc/rsyslog.conf:authpriv.* /var/log/secure

If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged, this is a finding.

Fix

Configure RHEL 10 to monitor all remote access methods.

Add or update the following lines to the "/etc/rsyslog.conf" file or a file in "/etc/rsyslog.d":

auth.*;authpriv.*;daemon.* /var/log/secure

Restart the "rsyslog" service with the following command for the changes to take effect:

$ sudo systemctl restart rsyslog.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.