The audit system must be configured to audit modifications to the systems network configuration.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-38540 | RHEL-06-000182 | SV-50341r2_rule | Low |
| Description |
|---|
| The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2015-05-26 |
Details
| Check Text ( C-46098r1_chk ) |
|---|
| To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | egrep '(sethostname|setdomainname|/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and "perm=wa" should be indicated for each). If the system is not configured to audit changes of the network configuration, this is a finding. |
| Fix Text (F-43488r2_fix) |
|---|
| Add the following to "/etc/audit/audit.rules", setting ARCH to either b32 or b64 as appropriate for your system: # audit_network_modifications -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications -w /etc/issue -p wa -k audit_network_modifications -w /etc/issue.net -p wa -k audit_network_modifications -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications |